Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Ruslan2016-09-17 23:23:24
iptables
Ruslan, 2016-09-17 23:23:24

Why fail2ban IP with CSF?

Fail2ban integration with CSF. Filters and so on are configured, if you block IP requests, the blocking skips.
The problem is that there is a DDoS attack on the server, ips are blocked, but they are still skipped (I searched for information on the forums, it didn’t help).
Attack request example

217.149.179.101 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 500 186 "-" "WordPress/4.0.1; http://as-elektro.volgodon.ru; verifying pingback from 191.96.249.53"
2001:41d0:8:16a:: - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.4.2; http://176.31.240.106; verifying pingback from 191.96.249.53"
82.194.90.39 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.5.4; http://www.fga.es; verifying pingback from 191.96.249.54"
2607:2200:0:3400::db3a:75fe - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 500 186 "-" "WordPress/4.6.1; http://five-rings-online.com; verifying pingback from 191.96.249.54"
2001:4802:7800:1:c1f7:cdd7:ff20:32a - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 500 186 "-" "WordPress/4.2.10; http://otherisrael.org; verifying pingback from 191.96.249.53"
40.76.44.21 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.5.4; http://40.76.44.21; verifying pingback from 191.96.249.53"
2001:4801:7827:101:be76:4eff:fe10:d722 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 500 186 "-" "WordPress/4.5.4; http://www.casest.com; verifying pingback from 191.96.249.54"
139.59.131.238 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.5.4; http://www.aqaramman.com; verifying pingback from 191.96.249.53"
153.122.16.77 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/3.8.1; http://xn--eckah5dh6gub5qc7f.jp"
2a01:7e01::f03c:91ff:fe91:f091 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.5.2; http://139.162.179.135; verifying pingback from 191.96.249.53"
164.132.47.154 - - [17/Sep/2016:15:18:45 -0400] "GET / HTTP/1.1" 499 0 "-" "WordPress/4.4.2; http://blog.escaparatedecocina.com; verifying pingback from 191.96.249.53"

iptables-save (List of blocked ips has been shortened)
# Generated by iptables-save v1.4.21 on Sat Sep 17 16:09:01 2016
*mangle
:PREROUTING ACCEPT [359502292:172725387584]
:INPUT ACCEPT [359502292:172725387584]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [335197763:256597827018]
:POSTROUTING ACCEPT [334062405:256529704669]
COMMIT
# Completed on Sat Sep 17 16:09:01 2016
# Generated by iptables-save v1.4.21 on Sat Sep 17 16:09:01 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:INVALID - [0:0]
:INVDROP - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 65321 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 6556 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 5559 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A DENYIN -s 217.149.179.101/32 ! -i lo -j DROP
-A DENYIN -s 52.77.216.119/32 ! -i lo -j DROP
-A DENYOUT -d 217.149.179.101/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 52.77.216.119/32 ! -o lo -j LOGDROPOUT
-A INVALID -m state --state INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j INVDROP
-A INVDROP -j DROP
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j DROP
COMMIT
# Completed on Sat Sep 17 16:09:01 2016
# Generated by iptables-save v1.4.21 on Sat Sep 17 16:09:01 2016
*nat
:PREROUTING ACCEPT [1087858:56568730]
:INPUT ACCEPT [1087809:56566052]
:OUTPUT ACCEPT [3934:244146]
:POSTROUTING ACCEPT [3934:244146]
COMMIT
# Completed on Sat Sep 17 16:09:01 2016

Tell me what could be the problem

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
G
Gasoid2015-10-09 12:01:05
How to configure openvpn to work on 2 ip addresses? 2Reply
J
jajabin2020-04-26 18:58:38
How to share connections using iptables? 0Reply
F
FlipWho2018-03-05 12:20:54
IPTABLES rules as server proxy? 3Reply
S
Sergey Blokhin2011-10-27 14:47:21
Need help with IPTABLES and transferring traffic between interfaces 6Reply
K
Kalombyr2020-05-07 19:24:14
Redirect traffic from one ip to another? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question