Habe kürzlich fail2ban installiert, bin mir aber nicht sicher, ob es wirklich wirkt.
In einem Konfigurationszustand konnte ich mal iptables -L | grep -i reject ausführen und es listete gebannte IPs.
Dies ist meine Konfiguration in /etc/jail.local:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | # section within jail.local file banaction = ufw banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(action_)s %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(action_)s %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. |
in action.d/ufw.conf habe ich:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | # Fail2Ban action configuration file for ufw # # You are required to run "ufw enable" before this will have any effect. # # The insert position should be appropriate to block the required traffic. # A number after an allow rule to the application won't be of much use. [Definition] actionstart = actionstop = actioncheck = actionban = [ -n "<application>" ] && app="app <application>" ufw insert <insertpos> <blocktype> from <ip> to <destination> $app actionunban = [ -n "<application>" ] && app="app <application>" ufw delete <blocktype> from <ip> to <destination> $app [Init] # Option: insertpos # Notes.: The position number in the firewall list to insert the block rule insertpos = 1 # Option: blocktype # Notes.: reject or deny blocktype = reject # Option: destination # Notes.: The destination address to block in the ufw rule destination = any # Option: application # Notes.: application from sudo ufw app list application = # DEV NOTES: # # Author: Guilhem Lettron # Enhancements: Daniel Black |
Demzufolge geht alles via ufw? Und nicht iptables?
EDIT: auf einmal geht's ufw status listet mir gebannte IPs. Vielleicht lag's an neuerlichem Reboot oder ufw enable
