[SMS]

baboo · Senior Member Joined: 04 Sep 2007 Posts: 676

I have been testing 1.4.2 before switching to production mode. No changes have been made to server for a month.

Yesterday I changed the webmin port from '10000' to a new port. This morning I was going thru the webmin modules and looked at the firewall module. To my surprise there was a policy there and according to time stamp put there yesterday.

I was wondering if you could tell me what this policy means:

# Generated by iptables-save v1.4.2 on Sun Mar 15 10:57:03 2009
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:558]
:OUTPUT ACCEPT [1:558]
COMMIT
# Completed on Sun Mar 15 10:57:03 2009
# Generated by iptables-save v1.4.2 on Sun Mar 15 10:57:03 2009
*mangle
:PREROUTING ACCEPT [5:260]
:INPUT ACCEPT [5:260]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:1572]
:POSTROUTING ACCEPT [5:1572]
COMMIT
# Completed on Sun Mar 15 10:57:03 2009
# Generated by iptables-save v1.4.2 on Sun Mar 15 10:57:03 2009
*filter
:INPUT ACCEPT [7945989:4351853093]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13135277:17519156628]
:fail2ban-ProFTPD - [0:0]
:fail2ban-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A fail2ban-ProFTPD -j RETURN
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Sun Mar 15 10:57:03 2009

thanks

gerasimos_h · Posted: Sun Mar 15, 2009 8:02 pm Post subject:

Check your /var/log/fail2ban.log and your administrator user's mails.
You can do a 'iptables -L' alternative.

gerasimos_h

baboo · Senior Member Joined: 04 Sep 2007 Posts: 676

thanks for the reply.

ouptput:

tail /var/log/fail2ban.log
2009-03-11 15:37:59,657 fail2ban.filter : INFO Set findtime = 600
2009-03-11 15:37:59,658 fail2ban.actions: INFO Set banTime = -1
2009-03-11 15:37:59,736 fail2ban.jail : INFO Jail 'ssh-iptables' started
2009-03-11 15:37:59,740 fail2ban.jail : INFO Jail 'proftpd-iptables' started
2009-03-11 15:38:00,063 fail2ban.actions.action: ERROR iptables -N fail2ban-ProFTPD
iptables -A fail2ban-ProFTPD -j RETURN
iptables -I INPUT -p tcp --dport ftp -j fail2ban-ProFTPD returned 400
2009-03-15 04:40:02,623 fail2ban.filter : INFO Log rotation detected for /var/log/secure
2009-03-15 04:40:02,711 fail2ban.filter : INFO Log rotation detected for /var/log/messages
2009-03-15 10:56:26,097 fail2ban.filter : INFO Log rotation detected for /var/log/secure

Doesn't appear to be anything.

iptables -L output:

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ProFTPD (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

really not very good at reading this but looks okay to me.

thanks

gerasimos_h · Posted: Sun Mar 15, 2009 8:29 pm Post subject:

Those are your entries, they are OK.

gerasimos_h

baboo · Senior Member Joined: 04 Sep 2007 Posts: 676

When you say those are my entries, I need to be clear here. I did not put those in, so is it okay to delete?

thanks

gerasimos_h · Posted: Sun Mar 15, 2009 9:02 pm Post subject:

fail2ban add those, they are OK! no need to do anything.

gerasimos_h

baboo · Senior Member Joined: 04 Sep 2007 Posts: 676

thank you. I know sometimes I'm a pain but I am learning. Went out and bought firewall book on iptables.

thanks again

gerasimos_h · Posted: Sun Mar 15, 2009 9:07 pm Post subject:

If you build a good firewall script you can contribute it to SMS Smile

gerasimos_h

baboo · Senior Member Joined: 04 Sep 2007 Posts: 676

I would not hold my breath waiting for that outcome. Smile