Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fail2Ban DROP instead REJECT
#Depending on version one of the following files must exist
root@host:/ nano /etc/fail2ban/action.d/iptables-blocktype.conf
or
root@host:/ nano /etc/fail2ban/action.d/iptables-common.conf
comment the line
#blocktype = REJECT --reject-with icmp-port-unreachable
create the line
blocktype = DROP
@radjah

This comment has been minimized.

Copy link

@radjah radjah commented Feb 8, 2019

Write it to iptables-common.local

@caffeinatedgoat

This comment has been minimized.

Copy link

@caffeinatedgoat caffeinatedgoat commented Jun 2, 2019

Why is the default REJECT? Surely DROP is better?

@openweather-me

This comment has been minimized.

Copy link

@openweather-me openweather-me commented Jul 8, 2019

Because it not sending packet back. So not using your outgoing traffic.
Also attacker doesn't known if packet reach the destination.
He will wait establishing TCP connection until timeout. So he is using more resources.

@caffeinatedgoat

This comment has been minimized.

Copy link

@caffeinatedgoat caffeinatedgoat commented Jul 14, 2019

Exactly my point, so why isn't DROP used?

@gstlouisgit

This comment has been minimized.

Copy link

@gstlouisgit gstlouisgit commented Sep 24, 2019

an old but related conversation
fail2ban/fail2ban#507

@techzilla

This comment has been minimized.

Copy link

@techzilla techzilla commented Aug 31, 2020

What's crazy is that one of the commenters posted firewalling best practices, which said that DROP harms legitimate users.... which is the reason to use DROP in this one specific situation, because in this case you know for sure this is an illegitimate user. Also DDOS is that much worse when you have to respond eating your uplink bandwidth.

@caffeinatedgoat

This comment has been minimized.

Copy link

@caffeinatedgoat caffeinatedgoat commented Sep 10, 2020

Agreed, the default should be DROP. Legitimate users shouldn't be effected because legitimate users shouldn't banned.

@JMiB-Fr-2020

This comment has been minimized.

Copy link

@JMiB-Fr-2020 JMiB-Fr-2020 commented Oct 8, 2020

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 95097
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 483
|- Total banned: 1785
DROP, REJECT, Same fight. I don't understand why connection attempts continue while IP addresses are banned.
[...]
root (111.229.48.141): 45 Time(s)
root (119.29.105.3): 45 Time(s)
root (138.68.106.62): 45 Time(s)
root (156.54.174.197): 45 Time(s)
root (202.100.188.108): 45 Time(s)
root (37.139.7.127): 45 Time(s)
root (68.183.126.143): 45 Time(s)
[...]
Does anyone have any idea?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.