Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: UFW NOT blocking IP address

  1. #1
    Join Date
    Jul 2007
    Beans
    16

    UFW NOT blocking IP address

    I have ufw and Fail2Ban running.

    I repeatedly get Fail2Ban taking action against an IP address that should never even reach the server.


    Code:
    sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    Anywhere                   DENY        211.174.61.80
    This is the first rule.

    Yet Fail2Ban regularly reports:

    Code:
    Hi,
    
    The IP 211.174.61.80 has just been banned by Fail2Ban after
    20 attempts against DOVECOT.
    Any thoughts?

    Thank you in advance!

  2. #2
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    BUMP.

    This is becoming an daily problem here. How is it possible that ufw is running...but not blocking this IP address?

    Any help is greatly appreciated.

  3. #3
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: UFW NOT blocking IP address

    Check /var/log/syslog to see if the ip address is being blocked by iptables.

  4. #4
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    It's definitely not being blocked by anything but (eventually) Fail2Ban. I'm not sure how this is possible and more than just a little worried.

  5. #5
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    Could this behavior be because ":fail2ban-dovecot-pop3imap - [0:0]" is listed before "-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j"?

    If so how can this be changed? Explicitly banned IP addresses should take priority over conditional rules.

    Thanks so much, in advance, to anyone who can help with this.

    Here is (some of) my iptables-save file:
    Code:
    # Generated by iptables-save v1.4.4 on Fri Mar 25 09:22:04 2011
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [45:3207]
    :fail2ban-dovecot-pop3imap - [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p tcp -m multiport --dports 80,443,25,465,110,995,143,993,587,465,22 -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
    -A INPUT -j ufw-before-logging-input 
    -A INPUT -j ufw-before-input 
    -A INPUT -j ufw-after-input 
    -A INPUT -j ufw-after-logging-input 
    -A INPUT -j ufw-reject-input 
    -A INPUT -j ufw-track-input 
    -A INPUT -s 211.174.61.80/32 -j DROP 
    -A FORWARD -j ufw-before-logging-forward 
    -A FORWARD -j ufw-before-forward 
    -A FORWARD -j ufw-after-forward 
    -A FORWARD -j ufw-after-logging-forward 
    -A FORWARD -j ufw-reject-forward 
    -A OUTPUT -j ufw-before-logging-output 
    -A OUTPUT -j ufw-before-output 
    -A OUTPUT -j ufw-after-output 
    -A OUTPUT -j ufw-after-logging-output 
    -A OUTPUT -j ufw-reject-output 
    -A OUTPUT -j ufw-track-output 
    -A fail2ban-dovecot-pop3imap -j RETURN

  6. #6
    Join Date
    Nov 2007
    Location
    Wisconsin
    Beans
    1,139

    Re: UFW NOT blocking IP address

    That is indeed what it looks like.

    Move the drop-the-attacker rule to a position higher on the chain than the accept-connection-on-these-ports rule.

  7. #7
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    Thanks Cheesehead!

    Stupid question, but how would I go about doing that? Can I just edit this file and "iptables-restore" it?

  8. #8
    Join Date
    Nov 2007
    Location
    Wisconsin
    Beans
    1,139

    Re: UFW NOT blocking IP address

    That would indeed be one effective way to do it, and should work just fine.

  9. #9
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    Quote Originally Posted by Cheesehead View Post
    That would indeed be one effective way to do it, and should work just fine.
    Thanks so much. You're awesome.

  10. #10
    Join Date
    Jul 2007
    Beans
    16

    Re: UFW NOT blocking IP address

    Whups. That didn't work.

    The rule gets moved down...waaaay down.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •