Some months ago I moved to a Contabo VPS.
Centos 7, Apache 2.4, Webmin/Virtualmin were installed.
Using firewallD.
Fail2ban was installed by default by Webmin install.
I left the default network/firewall settings, just changed ssh port.
After some hours of fail2ban restart, and after some successfully banned IPs I realized some errors in fail2ban.log, it displayed several “already banned” of the same IP.
I posted a question in stackoverflow and @sebres (the author or fail2ban manager) suggested something is flushing iptables because of the symptom
2019-12-05 16:55:20,856 fail2ban.action [1514]: ERROR iptables -w -n -L INPUT | grep -q ‘f2b-proftpd[ \t]’ – stdout: ‘’
I made several tests changing jails configuration but nothing changed; after some time (hours) “already banned” started to appear in f2b log (version 0.9)
I also removed the webmin fail2ban module.
Checked cron jobs to see if something can be flushing iptables in any way.
During those days version 0.10 of f2b was available from repositories so I upgraded it.
After few days, again, “already banned” issue started over.
Contabo folks say their VPS system doesn’t control any of global variables, “…being provided with full root access to the servers”.
This is my jail.local configuration
[DEFAULT] # Also tried these commented lines instead of the next ones #banaction = iptables-multiport #banaction_allports = iptables-allports action = firewallcmd-ipset[] action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] [sshd] enabled = true port = ssh maxretry = 4 bantime = 7200 [ssh-ddos] enabled = true port = ssh,sftp filter = sshd-ddos mode = agressive [webmin-auth] enabled = true port = 10000 [proftpd] enabled = true bantime = -1 [postfix] enabled = true bantime = -1 [dovecot] enabled = true bantime = -1 [postfix-sasl] enabled = true bantime = -1
Other needed confs are in jail.d, filter.d, fail2ban.d and action.d dirs and paths-common.conf, paths-fedora.conf, jail.conf and fail2ban.conf
To “fix” the problem I have running, periodically, a script to firewall-cmd reject those “already banned” IPs once.
What could be causing iptables get flushed and attackers get rid of fail2ban jail?