On 06/24/2015 05:28 AM, Michael Grant wrote: > I see a lot of these Already Banned messages in my fail2ban log. For example > > [sshd] > maxretry = 9 > enabled = true > > 2015-06-24 04:34:04,500 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,521 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,521 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,522 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,524 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,524 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,525 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,525 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,529 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > 2015-06-24 04:34:04,529 fail2ban.filter [3210]: INFO [sshd] Found > 113.195.145.70 > > ... then about a minute later... > > 2015-06-24 04:35:07,931 fail2ban.actions [3210]: NOTICE [sshd] Ban > 113.195.145.70 > > ... then about 6 minutes later... > > 2015-06-24 04:41:25,105 fail2ban.actions [3210]: NOTICE [sshd] > 113.195.145.70 already banned > 2015-06-24 04:41:42,704 fail2ban.filter [3210]: INFO [pam-generic] > Found 113.195.145.70 > 2015-06-24 04:41:42,720 fail2ban.filter [3210]: INFO [pam-generic] > Found 113.195.145.70 > 2015-06-24 04:41:42,720 fail2ban.filter [3210]: INFO [pam-generic] > Found 113.195.145.70
Was the IP unbanned during the missing logs? > > I see this a lot, not any one jail. Is this because of the threaded nature > of fail2ban that it is queuing up things to another thread? The last three lines above are from a different jail, pam-generic. Does that jail ban the IP as well? > > When I see Already Banned, it makes me wonder if it didn't really ban it the > first time. > > Here's a second example that plays itself out over a half hour: I don't see a half hour here, apache-noscript and apache-badbots are different jails. Assuming they block the same ports, the bantime could have easily expired between the first log and second log ~22 minutes later. Are you filtering out fail2ban log lines? Assuming you have a larger maxretry (you increased it for sshd), the ~3 minutes before the first apache-badbots banning 192.111.146.34 seems reasonable, as those requests seem to have been spread out over that time - although you haven't provided the Apache access log to correlate. > > 2015-06-24 04:34:26,785 fail2ban.actions [3210]: NOTICE > [apache-noscript] Ban 192.111.146.34 > 2015-06-24 04:56:07,436 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:07,436 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:12,921 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:13,589 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:13,589 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:14,088 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:56:14,089 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:57:26,894 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:57:26,894 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:58:45,453 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:09,863 fail2ban.actions [3210]: NOTICE > [apache-badbots] Ban 192.111.146.34 > 2015-06-24 04:59:15,940 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,778 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 04:59:55,517 fail2ban.actions [3210]: NOTICE > [apache-badbots] 192.111.146.34 already banned > 2015-06-24 04:59:57,451 fail2ban.actions [3210]: NOTICE > [apache-badbots] 192.111.146.34 already banned > 2015-06-24 04:59:59,457 fail2ban.actions [3210]: NOTICE > [apache-badbots] 192.111.146.34 already banned > 2015-06-24 05:00:00,579 fail2ban.actions [3210]: NOTICE > [apache-badbots] 192.111.146.34 already banned > 2015-06-24 05:06:55,620 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 05:06:55,622 fail2ban.filter [3210]: INFO > [apache-badbots] Found 192.111.146.34 > 2015-06-24 05:06:56,665 fail2ban.actions [3210]: NOTICE > [apache-badbots] 192.111.146.34 already banned > I'd suggest pulling your Apache logs and correlating them with the "Found" logs above to get a better sense of timing differences. Your previous post regarding apache-fakegooglebot indicated things were slow as well. Without system specific information it is very difficult to help diagnose a performance issue. Looking at log file sizes, jail backend used, fail2ban process information can also be helpful. ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
