Ubuntu 20.04.6 LTS. LAMP Server. Using Fail2Ban
I've been trying to Geoblocking working on my private server, more for personal interest than anything else. Plus I thought it would reduce the amount of garbage that Fail2Ban has to deal with. I know there are issues with using Geoblocking, but for my purposes I doubt I will miss anything from cn, ru or in countries.
I set it all up using IPSETs and IPTABLES following a couple of examples I found. I populated the IPSET with the bad countries IP address blocks sourced from IPDENY and added a new IPTABLE entry at the beginning to check the source IP against it. IPTABLE looks like (sorry about the layout, haven't figured that out yet):
Chain INPUT (policy DROP)
target prot opt source destination
LOG_AND_DROP all -- anywhere anywhere match-set countries src
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp
f2b-dovecot tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
I wanted to check it was working, so the LOG_AND_DROP writes to the syslog with a "Source host denied". Everything is looking good, and I am getting a lot less Fail2Ban actions and lots of LOG_AND_DROP entries e.g:
Feb 28 09:41:12 server1 kernel: [61440.059527] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9334 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0
Feb 28 09:41:16 server1 kernel: [61444.063682] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9335 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0
Feb 28 09:41:24 server1 kernel: [61452.192399] Source host denied IN=eth0 OUT= MAC=f2:3c:92:52:50:60:fe:ff:ff:ff:ff:ff:08:00 SRC=119.99.44.237 DST=172.105.188.224 LEN=52 TOS=0x00 PREC=0x00 TTL=102 ID=9336 DF PROTO=TCP SPT=50533 DPT=465 WINDOW=64800 RES=0x00 SYN URGP=0
I've only been running this for a short time, but I've noticed a couple of Fail2Ban actions that should have been dropped e.g:
The IP 119.102.129.74 has just been banned by Fail2Ban after 0 attempts against postfix-sasl.
The IP range from this address is 119.96.0.0 - 119.103.255.255 or CIDR 119.96.0.0/13.
119.96.0.0/13 is in the IPSET though, so it should have been dropped:
root@server1:/etc/iptables# ipset -L|grep 119.96.0.0/13
119.96.0.0/13
So my question is how do I find out why it wasn't dropped and fix it? Many thanks.
