1

Ubuntu 20.04.6 LTS. LAMP Server. Using Fail2Ban

I've been trying to Geoblocking working on my private server, more for personal interest than anything else. Plus I thought it would reduce the amount of garbage that Fail2Ban has to deal with. I know there are issues with using Geoblocking, but for my purposes I doubt I will miss anything from cn, ru or in countries.

I set it all up using IPSETs and IPTABLES following a couple of examples I found. I populated the IPSET with the bad countries IP address blocks sourced from IPDENY and added a new IPTABLE entry at the beginning to check the source IP against it. IPTABLE looks like (sorry about the layout, haven't figured that out yet):

Chain INPUT (policy DROP)
target prot opt source destination         
LOG_AND_DROP      all  -- anywhere anywhere match-set countries src
f2b-postfix-sasl  tcp  -- anywhere anywhere multiport dports smtp
f2b-dovecot       tcp  -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
ufw-before-logging-input  all  -- anywhere anywhere
ufw-before-input  all  -- anywhere anywhere
ufw-after-input   all  -- anywhere anywhere
ufw-after-logging-input  all  -- anywhere anywhere
ufw-reject-input  all  -- anywhere anywhere
ufw-track-input  all  --  anywhere anywhere

I wanted to check it was working, so the LOG_AND_DROP writes to the syslog with a "Source host denied". Everything is looking good, and I am getting a lot less Fail2Ban actions and lots of LOG_AND_DROP entries e.g:

Feb 28 09:41:12 server1 kernel: [61440.059527] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9334 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0 
Feb 28 09:41:16 server1 kernel: [61444.063682] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9335 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0 
Feb 28 09:41:24 server1 kernel: [61452.192399] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9336 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0

I've only been running this for a short time, but I've noticed a couple of Fail2Ban actions that should have been dropped e.g:

The IP 119.102.129.74 has just been banned by Fail2Ban after 0 attempts against postfix-sasl.

The IP range from this address is 119.96.0.0 - 119.103.255.255 or CIDR 119.96.0.0/13.

119.96.0.0/13 is in the IPSET though, so it should have been dropped:

root@server1:/etc/iptables# ipset -L|grep 119.96.0.0/13
119.96.0.0/13

So my question is how do I find out why it wasn't dropped and fix it? Many thanks.

Doug Smythies
  • 16,186
  • 5
  • 48
  • 63
Gordon D
  • 11
  • 1
    Your iptables rule set appears to include stuff from ufw which is extremely hard to follow. Regardless, we would need your complete iptables rule set to be able to try to help. Like the output for sudo iptables -xvnL. – Doug Smythies Feb 28 '25 at 00:00
  • Full rule set here https://pastebin.com/h88Fz1Q9 – Gordon D Mar 01 '25 at 01:13
  • Your IPTABLES rules look okay. I do not know why Fail2Ban was triggered. – Doug Smythies Mar 02 '25 at 00:02

0 Answers0