From: Zurd <zu...@gm...> - 2013-03-27 07:16:38
|
How come I have this in "ipfw -t list" but I can still log in : 00300 Wed Mar 27 03:08:59 2013 allow ip from any to any 00400 deny tcp from xxx.xxx.xxx.xxx to 127.0.0.1 dst-port 22 65535 Mon Mar 25 16:55:46 2013 deny ip from any to any Where xxx.xxx.xxx.xxx is my own local IP. From what I understand from ipfw rules priority, this should work. Here's my jail : [ssh-ipfw] enabled = true filter = sshd action = ipfw[localhost=127.0.0.1] sendmail-whois[name="SSH,IPFW", dest=my...@so...] logpath = /var/log/auth.log And in /var/log/fail2ban.log, I have plenty of those lines : 2013-03-27 03:10:40,393 fail2ban.actions: INFO [ssh-ipfw] xxx.xxx.xxx.xxx already banned |
From: Fabian W. <fa...@we...> - 2013-03-31 22:34:16
|
Hello Zurd On 27.03.2013 08:16, Zurd wrote: > How come I have this in "ipfw -t list" but I can still log in : > > 00300 Wed Mar 27 03:08:59 2013 allow ip from any to any > 00400 deny tcp from xxx.xxx.xxx.xxx to 127.0.0.1 > dst-port 22 > 65535 Mon Mar 25 16:55:46 2013 deny ip from any to any > > Where xxx.xxx.xxx.xxx is my own local IP. From what I understand from ipfw > rules priority, this should work. First, the 00300 rule does allow from any to any, so it will not continue to parse the next rule. But then your rule 00400 does only match packets which go from xxx.xxx.xxx.xxx to 127.0.0.1. But you will probably never ever have any such packets. You need to replace 127.0.0.1 with 'me' or the the IP address of the interface the inbound traffic comes in. > Here's my jail : > [ssh-ipfw] > enabled = true > filter = sshd > action = ipfw[localhost=127.0.0.1] > sendmail-whois[name="SSH,IPFW", dest=my...@so...] > logpath = /var/log/auth.log I am not sure what the 'localhost' stuff in the action does, as I am using the 'bsd-ipfw' action in my installation. > And in /var/log/fail2ban.log, I have plenty of those lines : > 2013-03-27 03:10:40,393 fail2ban.actions: INFO [ssh-ipfw] xxx.xxx.xxx.xxx > already banned In your case this is when fail2ban does submit the IP address to the action, but there it is not set up probably and the IP address is not really blocked. Sometimes this messages can happen once when there is a fast flood of new connections from the same IP address. But then it is related the caching delay of syslog writing to the file and until fail2ban is able to read it. bye Fabian |