Quoting Tom Hendrikx <tom@wh...>: > It sounds like logrotate (or smething else) changed the files that > need to be monitored, and f2b is not notified about it.
Hi Tom, thanks for your reply. I can say its definately not due to this, for example in the last few hours we have had several IP addresses attacking the server, the log has not been rotated in more than 12 hours but its still only banning IP addresses when restarted. I don't know what it does under the hood but it looks to me like its evaluating the rules, which for Apache/HTTP is defined with a findtime of 60, and blocks IPs from the logs which appear in the last 60 seconds of when fail2ban is restarted and after that does nothing (except Ssh which works great). Any other possible causes or any other debugging I can do? fail2ban-regex also works great, ie: Results ======= Failregex: 104953 total |- #) [# of hits] regular expression | 1) [104953] ^<HOST> -.*\"(GET|POST).* `- thanks again, Andy. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
