0

I have setup fail2ban behind an ELB following this post, everything seems to work and I get this:

root@ip-10-164-24-152:/home/ubuntu# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-apache-proxy
-N fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-apache-proxy
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-apache-proxy -p tcp -m tcp --dport 80 -m string --string "X-Forwarded-For: 86.191.20.43" --algo bm --to 65535 -j DROP
-A fail2ban-apache-proxy -j RETURN
-A fail2ban-ssh -j RETURN

However, the rule says DROP, but I'm still able to browse my site! Why is this? Am I missing another flag for the rule?

Improve this question
4
  • Do you see the banned address in the forward-for field of the access logs?
    – eckes
    Commented Apr 27, 2017 at 1:46
  • I am pretty sure the rule does not drop I.e. Is not hit. You can look at the extended iptables output and see the hit counter for the drop and jump rules.
    – eckes
    Commented Apr 27, 2017 at 1:47
  • BTW: it might be less Performance hungry if using AWS VPC ACLs in Front of ELB like mentioned here: stackoverflow.com/questions/20123308/… I am sure fail2ban would be able to start AWS CLI to add those
    – eckes
    Commented Apr 27, 2017 at 1:53
  • Yes, I see them in the access log and I'm able to browse my site even though I have been banned on fail2ban! I don't use VPC, still on the AWS classic.
    – Abs
    Commented Apr 27, 2017 at 9:18

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .