How will iptables rules work against fail2ban rules? Who will have priority over?
How do I add fail2ban rules to iptables?
Looking at the information of the iptables table, we can see that all IPs that are not 80.234.40.124 will be DROP. In fact, this will prvent from brute force password attacking on VPS. The question is, does it make sense to use fail2ban in this case?
f2b uses its own chains per filter, e.g. f2b-sshd. When f2b restarts, its chains are flushed and the currently saved ips (if any) from the DB (default sqlite) are re-added to the chains. Other self-written rules are not affected. But: If you call iptables -F by your own, you flush all chains and you have to restart the f2b service, if it already had data in its DB. And: f2b only creates its chains when it has found an ip to be blocked for the first time, see e.g. /etc/fail2ban/action.d/iptables-multiport.conf.
f2b reads log files and looks for specific entries, like
f2b does that by itself, see above. f2b is a service that uses iptables to ban ips.
f2b won't have much to do as it won't find any failed login attempts in e.g. auth.log, except for your socks server. You can test it by trying a wrong pwd N times (assuming that you deosn't use a ssh key). But be careful to not lock out youself, so you should have open a second terminal in parallel from where you can unban its ip.
As mentioned before, a static management ip is always beneficial. f2b is particularly useful for services (not just ssh) that are accessible from anywhere, cause it mainly acts against bots. It also has the option of sending reports to Blocklist.
If I do not set rule for iptables, I only set the rules for fail2ban. When I run command iptables -L , I can see the rule of fail2ban in iptables
But if I set the rule for iptables first, then I set the rules for fail2ban. When I run command iptables -L, I only see iptables rules, not seeing rules of fail2ban in iptables
As I recall, fail2ban will add a rule to iptables AFTER it detects an anomaly, based on the way fail2ban1 is configured.
Frankly speaking, I'm not understanding where this line of questioning is leading.
What is the "doubt" or "concern" on using a tool (fail2ban) which is used by "uncountable" sys admins, is very mature and very completely documented?
I have used fail2ban on a number of servers for as long as I can remember, and it's never been a problem. It's just one of many tools available to sys admins to help secure their systems.
I am not very clear what your question is. As stated, f2b creates a chain per jail and thus a first ipt rule only after it has discovered an ip to be blocked for the first time (default: 5 log entries). If it has not yet discovered an ip for a jail like sshd, there is still no chain f2b-sshd.
And as said, you don't need to set ipt rules for f2b by youself, it is done by f2b. And with a iptables -F you not only delete your own rules, but also those of f2b (but not its chains, that needs iptables -X). But then f2b no longer knows which of its rules are active, so you should call fail2ban-client reload sshd afterwards. Also note the settings of findtime and bantime.
Some useful commands are:
# show config
$ fail2ban-client --dp
# show status of a jail
$ fail2ban-client status sshd
# unban an ip from all jails
$ fail2ban-client unban ip 1.2.3.42
# show matched log entries
$ fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# show stored bans
$ echo "select data from bans" | sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 | jq .
# show commands & options
$ fail2ban-client | less
And iptables -vnL prints also the number of packets & bytes matched per rule, showing ips & ports in numeric format.