Bug#602085: fail2ban doesn't respond well for quick distributed attacks (patch)

Mon, 01 Nov 2010 06:27:16 -0700 

Package: fail2ban
Version: 0.8.3-2sid1
Severity: normal

Last night I had a distributed attack on my asterisk server from over than 400 
hosts. 
fail2ban failed to ban all IP addresses, because it can only
try to ban one IP address per second. All my log is full of this messages:

2010-11-01 14:53:32,272 fail2ban.actions: WARNING [asterisk-iptables] 
59.99.209.227 already banned
2010-11-01 14:53:33,272 fail2ban.actions: WARNING [asterisk-iptables] 
125.166.165.16 already banned
2010-11-01 14:53:34,272 fail2ban.actions: WARNING [asterisk-iptables] 
110.159.192.213 already banned
2010-11-01 14:53:35,272 fail2ban.actions: WARNING [asterisk-iptables] 
80.67.50.243 already banned
2010-11-01 14:53:36,272 fail2ban.actions: WARNING [asterisk-iptables] 
125.165.164.204 already banned
2010-11-01 14:53:37,272 fail2ban.actions: WARNING [asterisk-iptables] 
61.19.66.182 already banned
2010-11-01 14:53:38,273 fail2ban.actions: WARNING [asterisk-iptables] 
110.159.192.213 already banned
2010-11-01 14:53:39,272 fail2ban.actions: WARNING [asterisk-iptables] 
80.67.50.243 already banned
2010-11-01 14:53:40,272 fail2ban.actions: WARNING [asterisk-iptables] 
125.166.165.16 already banned

The problem is actually in the actions.py file, if ip is already banned, 
fail2ban waits for 1 second 
before banning another one. I believe that this patch should solve the problem:

--- actions.py.orig     2010-11-01 15:36:43.000000000 +0300
+++ actions.py  2010-11-01 15:27:18.000000000 +0300
@@ -162,10 +162,10 @@
                                logSys.warn("[%s] Ban %s" % 
(self.jail.getName(), aInfo["ip"]))
                                for action in self.__actions:
                                        action.execActionBan(aInfo)
-                               return True
                        else:
                                logSys.warn("[%s] %s already banned" % 
(self.jail.getName(), 
                                                                                
                                aInfo["ip"]))
+                       return True
                return False
 
        ##





-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-486
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to ru_RU.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  whois                         4.7.30     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-3 A simple mail user agent
ii  heirloom-mailx [ma 12.3+cvs20080629-1    feature-rich BSD mail(1)
ii  mailx              1:20071201-3          Transitional package for mailx ren
pn  python-gamin       <none>                (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to