fail2ban on Raspbian does not create iptables jails

Solution 1:

It turns out that the answer is twofold. First, there is a change in how fail2ban works. Newer versions of fail2ban will not immediately create chains in the firewall configuration, but only upon first trigger. This explains why a new fail2ban installation does not show chains in iptables -L.

To test the creation of the iptables chains, we can use the fail2ban-client to add a ban (-vvv to add verbosity which may help you debug problems in the command):

$ sudo fail2ban-client -vvv set sshd banip 192.0.2.0

After running this command, iptables shows (should show) the chain for this jail:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  192.0.2.0            anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

We can unban the ip as follows:

$ sudo fail2ban-client -vvv set sshd unbanip 192.0.2.0

And now the rule in iptables is removed, but the f2b-sshd chain persists:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

In short, to test your fail2ban installation you must:

  1. Install fail2ban with just the sshd configuration (which is default)
  2. Use sudo fail2ban-client status sshd to check the status
  3. Use fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf to check the regular expression matching.
  4. Use sudo fail2ban-client -vvv set sshd banip 192.0.2.0 to generate an sshd ban
  5. Use sudo iptables -L to verify that the f2b-sshd chain is created with the ban rule in it.
  6. Use sudo fail2ban-client -vvv set sshd unbanip 192.0.2.0 to remove the ban.

I also noticed that there is an option to revert the "on demand chain creation" behavior, check this github issue for details

I hope this helps.