fail2ban on Raspbian does not create iptables jails
Solution 1:
It turns out that the answer is twofold. First, there is a change in how fail2ban works. Newer versions of fail2ban will not immediately create chains in the firewall configuration, but only upon first trigger. This explains why a new fail2ban installation does not show chains in iptables -L.
To test the creation of the iptables chains, we can use the fail2ban-client
to add a ban (-vvv to add verbosity which may help you debug problems in the command):
$ sudo fail2ban-client -vvv set sshd banip 192.0.2.0
After running this command, iptables shows (should show) the chain for this jail:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 192.0.2.0 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
We can unban the ip as follows:
$ sudo fail2ban-client -vvv set sshd unbanip 192.0.2.0
And now the rule in iptables is removed, but the f2b-sshd chain persists:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
In short, to test your fail2ban installation you must:
- Install fail2ban with just the sshd configuration (which is default)
- Use
sudo fail2ban-client status sshd
to check the status - Use
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
to check the regular expression matching. - Use
sudo fail2ban-client -vvv set sshd banip 192.0.2.0
to generate an sshd ban - Use
sudo iptables -L
to verify that the f2b-sshd chain is created with the ban rule in it. - Use
sudo fail2ban-client -vvv set sshd unbanip 192.0.2.0
to remove the ban.
I also noticed that there is an option to revert the "on demand chain creation" behavior, check this github issue for details
I hope this helps.