Skip to content

Instantly share code, notes, and snippets.

Last active March 10, 2021 16:37
  • Star 8 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save antoniocampos/1b8bc607d7b2d4a42e2a6e7df00645d0 to your computer and use it in GitHub Desktop.
Fail2Ban DROP instead REJECT
#Depending on version one of the following files must exist
root@host:/ nano /etc/fail2ban/action.d/iptables-blocktype.conf
root@host:/ nano /etc/fail2ban/action.d/iptables-common.conf
comment the line
#blocktype = REJECT --reject-with icmp-port-unreachable
create the line
blocktype = DROP
Copy link

radjah commented Feb 8, 2019

Write it to iptables-common.local

Copy link

Why is the default REJECT? Surely DROP is better?

Copy link

Because it not sending packet back. So not using your outgoing traffic.
Also attacker doesn't known if packet reach the destination.
He will wait establishing TCP connection until timeout. So he is using more resources.

Copy link

Exactly my point, so why isn't DROP used?

Copy link

an old but related conversation

Copy link

techzilla commented Aug 31, 2020

What's crazy is that one of the commenters posted firewalling best practices, which said that DROP harms legitimate users.... which is the reason to use DROP in this one specific situation, because in this case you know for sure this is an illegitimate user. Also DDOS is that much worse when you have to respond eating your uplink bandwidth.

Copy link

caffeinatedgoat commented Sep 10, 2020

Agreed, the default should be DROP. Legitimate users shouldn't be effected because legitimate users shouldn't banned.

Copy link

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 95097
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 483
|- Total banned: 1785
DROP, REJECT, Same fight. I don't understand why connection attempts continue while IP addresses are banned.
root ( 45 Time(s)
root ( 45 Time(s)
root ( 45 Time(s)
root ( 45 Time(s)
root ( 45 Time(s)
root ( 45 Time(s)
root ( 45 Time(s)
Does anyone have any idea?

Copy link

sem-hub commented Jan 10, 2021

I think REJECT is very strange choice for default.
I've realize it when found a lot of ICMP traffic from me. It customizes easy, but a lot of people will not change it.
I've read #507 and I'm not agree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment