suche einen Fehler in meiner Konfiguration (Debian 10 + Keyhelp 20.2 + nftables + fail2ban) und zwar wurde meine IP gebannt (habs zum Spass mal ausprobiert)
Code: Select all
fail2ban-client status sshd
um die explizite Portangabe erweitertdefaults-debian.conf
Code: Select all
[sshd]
enabled = true
port = 721
die banaction Zeilen wie folgt geändertjai.conf
Code: Select all
banaction = nftables-multiport
banaction_allports = nftables-allports
sieht so aus (am Schluss ist der entsprechende Eintrag bzgl. Fail2Ban/etc/nftables.conf
Code: Select all
#!/usr/sbin/nft -f
# Start by flushing all the rules.
flush ruleset
# Define private IP for ssh access
define privateip = {MEINEIP}
table inet filter {
# TCP ports to allow. (Allowed services: HTTP, HTTPS, SFTP)
set tcp_accepted {
type inet_service; flags interval;
elements = {
80,443,722
}
}
# TCP port for SSH service.
set ssh_accepted {
type inet_service; flags interval;
elements = {
721
}
}
# UDP ports to allow. (Allowed services: Teamspeak 3)
set udp_accepted {
type inet_service; flags interval;
elements = {
9987
}
}
chain input {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
# Use a semicolon to separate multiple commands on one row.
type filter hook input priority 0; policy drop;
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# OBS! Rules with "limit" need to be put before rules accepting "established" connections.
# Allow all incomming established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
# Allow loopback.
# Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
iif lo accept
# Drop all fragments.
ip frag-off & 0x1fff != 0 counter drop
# Force SYN checks.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Drop XMAS packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# Drop NULL packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# Allow certain inbound ICMP types (ping, traceroute).
# With these allowed you are a good network citizen.
# Without the nd-* ones ipv6 will not work.
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow SSH for specific IP only
ip saddr $privateip tcp dport @ssh_accepted accept
tcp dport @ssh_accepted drop
# Allow needed tcp and udp ports.
tcp dport @tcp_accepted ct state new accept
udp dport @udp_accepted ct state new accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Forward all established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
}
chain output {
type filter hook output priority 0; policy drop;
# Allow all outgoing traffic. Drop invalid traffic.
# ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
ct state invalid drop
}
}
include "/etc/nftables/fail2ban.conf"
Habe zum Spass auch mal den Teil mit der IP Freigabe komplett rausgenommen, bringt nix ... trotz angezeigter geblockter IP von Fail2Ban kann ich mich einloggen ... warum ist das so?