Configure fail2ban to use route instead of iptables to block connections

Monday, August 17, 2009 posted by admin

Fail2ban uses iptables by default to block incoming connections when they exceed the max.  login retrys. The iptables rules used by fail2ban might conflict with the firewall rules, so it might be nescessary to reconfigure fail2ban to use the route command for blocking incoming connections.

To reconfigure fail2ban for using the route command instead of iptables, edit or create the route.conf file:

vi /etc/fail2ban/action.d/route.conf

And insert the following lines:

# Fail2Ban configuration file

[Definition]
actionban = ip route add unreachable <ip>
actionunban = ip route del unreachable <ip>

Then add or change the banaction in the jail.local file in the [DEFAULT] section to "route":

vi /etc/fail2ban/jail.local

And add or edit these lines:

# Fail2Ban configuration file

[DEFAULT]

banaction = route

Be Sociable, Share!



7 Responses to “Configure fail2ban to use route instead of iptables to block connections”

  1. Voss says:

    Thank you very much, I couldn’t use fail2ban cause my kernel isn’t compiled with multiport module, i.e.,
    # CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set , so iptables doesn’t work right (chains are always empty) and I have no experiences with kernel compiling.
    Your tip is very helpfull! Fail2ban works again.

  2. jda says:

    I did this mod. Now when something is banned there is a fail2ban error saying ip returned 100. What does that mean?

  3. Richard says:

    Hi,

    We are using centos 5 and ISPConfig 3.

    I dont have jail.local file …

    Can you please explain?

  4. Name says:

    @Richard: see jail.conf

  5. Will says:

    Worked for me – Thanks!

  6. Di_Skyer says:

    With this we block any from “bad” IP — It solution good for me too! Спасибо!

    Before:
    [code]
    2012-02-21 13:48:50,167 fail2ban.actions.action: ERROR
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport –dports 25 -j fail2ban-sasl returned 100
    2012-02-21 13:48:50,169 fail2ban.jail : INFO Jail ‘courierimaps’ started
    2012-02-21 13:48:50,372 fail2ban.jail : INFO Jail ‘apache-phpmyadmin’ started
    2012-02-21 13:48:51,070 fail2ban.actions.action: ERROR
    iptables -N fail2ban-pureftpd
    iptables -A fail2ban-pureftpd -j RETURN
    iptables -I INPUT -p tcp -m multiport –dports 21 -j fail2ban-pureftpd returned 100
    2012-02-21 13:48:51,365 fail2ban.actions.action: ERROR sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-ssh
    iptables -A fail2ban-ssh -j RETURN
    iptables -I INPUT -p tcp -m multiport –dports 22 -j fail2ban-ssh returned 100
    [/code]

    After:
    [code]
    2012-02-21 16:02:28,392 fail2ban.jail : INFO Jail ‘ssh’ started
    2012-02-21 16:02:28,574 fail2ban.jail : INFO Jail ‘sasl’ started
    2012-02-21 16:02:28,841 fail2ban.jail : INFO Jail ‘pureftpd’ started
    2012-02-21 16:02:28,902 fail2ban.jail : INFO Jail ‘courierpop3′ started
    2012-02-21 16:02:29,005 fail2ban.jail : INFO Jail ‘courierpop3s’ started
    2012-02-21 16:02:29,077 fail2ban.jail : INFO Jail ‘courierimap’ started
    2012-02-21 16:02:29,108 fail2ban.jail : INFO Jail ‘courierimaps’ started
    2012-02-21 16:02:29,202 fail2ban.jail : INFO Jail ‘apache-phpmyadmin’ started
    2012-02-21 16:05:31,099 fail2ban.actions: WARNING [ssh] Ban xx.xx.xx.xx
    2012-02-21 16:33:37,911 fail2ban.actions: WARNING [ssh] Unban xx.xx.xx.xx
    [/code]

  7. troyhartenstine says:

    Thanks very much. Simple and enlightening solution. Caused me to learn about all the actions (/etc/fail2ban/actions.d) and thereby solved all my past fail2ban error issues

Leave a Reply