Troubleshooting Fail2Ban Issues with nftables
Fail2Ban may sometimes cause issues. In many cases, it’s enough to delete the nftables rules created by Fail2Ban, briefly stop the service, and then restart it. On restart, Fail2Ban will automatically recreate all necessary nftables sets and rules.
I’ll omit sudo in the following examples. It will be required when running nft commands.
Example to delete the f2b-table in the inet family context:
nft delete table inet f2b-tableWhat to Do When Changing Ports for Individual Fail2Ban Jails
If you change the ports for a specific fail2ban jail, it’s also necessary to stop and restart fail2ban so the changes are applied to the nft tables.
Example:
[proftpd]
enabled = true
maxretry = 2
backend = auto
port = 21,20,989,990,2222,40000-40100
logpath = /var/log/proftpd/proftpd.logHere, I updated the list of ports to be monitored.
After stopping and restarting Fail2Ban, the modified ports correctly appeared in the nftables rules generated by Fail2Ban – specifically in the inet f2b-table (chain f2b-chain).
Command:
nft list chain inet f2b-table f2b-chainOutput:
tcp dport { 20-21, 989-990, 2222, 40000-40100 } ip saddr @addr-set-proftpd reject with icmp port-unreachableAlways Make Changes via Fail2Ban
From my experience, manually modifying nft tables used by Fail2Ban usually causes problems. It’s better to apply changes directly in Fail2Ban.
Adding and Removing IPs from Fail2Ban Jails
If you’re using nftables as the backend for Fail2Ban, you should not modify IPs directly via nft. Use fail2ban-client instead to keep everything in sync.
Add an IP address to a jail:
fail2ban-client set <jail> banip 1.2.3.4
fail2ban-client set proftpd banip 1.2.3.4Remove an IP address from a jail:
fail2ban-client set <jail> unbanip 1.2.3.4
fail2ban-client set proftpd unbanip 1.2.3.4
Leave a Reply
You must be logged in to post a comment.