Fail2Ban Correctly Attempts to Ban IP but IP does not get banned - iptables chain exists but not working

Running on Ubuntu 14.04 Server.

So I have fail2ban correctly configured to process /var/log/auth.log for SSH login attempts.

Upon 3 failed attempts I see this in the fail2ban log:

2014-11-19 15:22:56,822 fail2ban.actions: WARNING [ssh] Ban BANNED_IP_ADDY

iptables -L shows this chain:

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
REJECT     all  --  BANNED_IP_ADDY  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Yet from that IP I can still login via SSH without any issues.

The same story applies for all my fail2ban jails. Apache for example, I can see fail2ban correctly detect the log and claim it bans an IP. The IP ends up in an iptables chain but the IP is not actually being REJECTED.

I have a feeling in these cases is because SSH is not on the standard port. It is on a different port.

So if I force the ssh jail rule to use the new port:

[ssh]

enabled  = true
port     = 32323
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5

Then I see this error:

2014-11-19 15:30:06,775 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports 32323 -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 400
2014-11-19 15:30:06,778 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports 32323 -j fail2ban-ssh returned 400
2014-11-19 15:30:06,779 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-11-19 15:30:06,780 fail2ban.actions.action: CRITICAL Unable to restore environment

If I leave it as

 port = ssh

Then it gets into iptables properly but the chain is not working to REJECT traffic (as mentioned above).

UPDATE:

If I change:

banaction = iptables-multiport

To:

banaction = iptables-allports

Then it appears to work. What is the repercussions of this change?

It appears that causing fail2ban to ban an IP because of SSH with this allports it banned EVERY port for that IP. Purposefully got banned due to repeated ssh login fails. Also got banned on every other service.


The fail2ban chains are not correctly linked to your INPUT and OUTPUT chains. Please edit your question and provide output of:

iptables -n -L INPUT
iptables -n -L OUTPUT

and all fail2ban chains too, and I'll be able to be more precise.