IPTables & Fail2Ban giant log

Question

IPTables & Fail2Ban giant log

Im using IPTables and Fail2Ban to stop some basic DDoS attacks. The tables are working ok, the fail2ban too. The problem its the log of iptables, its too big with a 10minutes attack (57mb log). Analyzing the log I see that the IPs are getting logged even after getting banned. I would need to find a way to stop logging after the IP is banned by fail2ban. Relevant info: Im using proxmox, and the rules are applying to a firewall group.

IPTables to log:

-A GROUP-global-IN -p tcp -m connlimit --connlimit-above 15 --connlimit-mask 32 --connlimit-saddr -j LOGGING
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -m limit --limit 30/m --limit-burst 20 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -j LOGGING
-A GROUP-global-IN -p tcp -m tcp --dport 55900:55990 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m tcp --dport 44400:44450 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p udp -m udp --dport 3389 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m tcp --dport 3389 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -m comment --comment "PVESIG:KKZyJB9Ae6H5jj8mY0mkA9ERbHM"
-A GROUP-global-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-global-OUT -m comment --comment "PVESIG:M5Q45RnzRGd74WrDqXf6Jx1nDUQ"
-A LOGGING -j LOG --log-prefix "IPTables DOS: "
-A LOGGING -j DROP

Im getting IP's with 63k matches at iptables.log (example):

Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194  
Aug  2 17:39:55 IPTables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 SRC=64.227.16.194

Result of this is also getting the same on fail2ban log, and, as result, a high cpu usage.

2020-08-02 17:39:46,367 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,367 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,368 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,368 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,368 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,369 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,369 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,369 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,370 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,370 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,371 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46
2020-08-02 17:39:46,371 fail2ban.filter         [869]: INFO    [iptables-dropped] Found 64.227.16.194 - 2020-08-02 17:39:46

iptables

logging

fail2ban

proxmox

asked on Server Fault Aug 2, 2020 by

Ivan Perazzo

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0