Re: Debian 12 - IPv4 blocked without fail2ban & co

It happened again last night, but I wasn't able to investigate before I woke up, and for the moment it's not blocking anymore.
Out of curiosity, I'm doing a regular MTR, and I've had a strange thing happen.

A normal one (rpi4 at home to OVH):

└─# mtr -r 54.38.38.159 -4
Start: 2023-09-07T07:14:15+0000
HOST: rpi4 Loss% Snt Last Avg Best Wrst StDev
1.|-- livebox.home 0.0% 10 1.0 0.9 0.7 1.1 0.1
2.|-- 80.10.239.9 0.0% 10 3.0 2.9 2.7 3.5 0.3
3.|-- ae102-0.ncidf103.rbci.ora 0.0% 10 3.3 3.4 2.2 6.3 1.1
4.|-- ae51-0.nridf101.rbci.oran 0.0% 10 3.2 3.4 3.1 3.6 0.2
5.|-- ae41-0.noidf001.rbci.oran 0.0% 10 3.5 3.7 3.2 5.4 0.6
6.|-- be102.par-th2-pb1-nc5.fr. 0.0% 10 25.9 9.6 3.7 31.7 10.5
7.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
8.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
9.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
10.|-- be103.rbx-g4-nc5.fr.eu 0.0% 10 8.1 9.0 7.2 20.9 4.2
11.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
12.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
13.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
14.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
15.|-- mail.borezo.info 0.0% 10 6.9 7.2 6.7 7.9 0.4

The same one a few minutes later (not normal):
└─# mtr -r 54.38.38.159 -4

Start: 2023-09-07T07:24:27+0000
HOST: rpi4 Loss% Snt Last Avg Best Wrst StDev
1.|-- livebox.home 0.0% 10 0.9 1.1 0.7 2.8 0.6
2.|-- 80.10.239.9 0.0% 10 2.8 3.0 2.7 4.4 0.5
3.|-- ae102-0.ncidf103.rbci.ora 0.0% 10 37.3 6.8 2.7 37.3 10.7
4.|-- ae51-0.nridf101.rbci.oran 0.0% 10 3.5 3.5 3.1 4.6 0.4
5.|-- ae41-0.noidf001.rbci.oran 0.0% 10 3.3 3.9 3.2 8.4 1.6
6.|-- be102.par-th2-pb1-nc5.fr. 0.0% 10 3.7 14.0 3.7 44.1 15.0
7.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
8.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
9.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
10.|-- be103.rbx-g4-nc5.fr.eu 0.0% 10 7.5 8.4 7.1 12.1 1.7
11.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
12.|-- rpi4.home 90.0% 10 7955. 7955. 7955. 7955. 0.0

Le mer. 6 sept. 2023 à 08:39, Romain <romain@borezo.info> a écrit :

Hello everyone,

I recently reinstalled a dedicated server (with OVH, in case that helps with diagnosis), transitioning from Debian 11 to Debian 12.

Since then, I have been experiencing regular and progressive IPv4 blocking at my home. Access via IPv6 or from another IPv4 (including from the same provider) is working.

Here's an example from last night after a server reboot the previous evening:
01:43-02:13 (30 minutes)
02:26-03:26 (1 hour)
03:28-05:28 (2 hours)
05:55-? (still blocked at the time of writing)

Issues:
- The OVH Debian 12 template for dedicated servers doesn't come with any pre-installed blocking tools (e.g., no fail2ban).
- I haven't added any such tools since installing the server, only Apache (with mod_security), PHP, and MariaDB.
- From my home IP address last night, the only generated requests were from my Uptime Kuma probe, which includes a ping every minute and a curl request to a URL that consistently returns HTTP 200 (except when the IP is blocked, of course).

When my IP is blocked, curl returns a "Connection refused," and ping returns "Destination Port Unreachable."

I couldn't find any mentions of my IPv4 address in the server logs. MTR (-4) doesn't report any issues reaching the server. OVH has confirmed that it's not an issue with their network equipment, and a rescue mode restart allows me to regain ping access.

Do you have any ideas about what might be causing this on a nearly pristine Debian 12 installation? I've been pulling my hair out for a few days now...

Thanks!

Romain