On Thu, Jun 25, 2015 at 4:18 PM, Lee Clemens <[email protected]> wrote:
> On 06/24/2015 05:28 AM, Michael Grant wrote:
> > I see a lot of these Already Banned messages in my fail2ban log. For
> example
> >
> > [sshd]
> > maxretry = 9
> > enabled = true
> >
> > 2015-06-24 04:34:04,500 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,521 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,521 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,522 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,524 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,524 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,525 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,525 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,529 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> > 2015-06-24 04:34:04,529 fail2ban.filter [3210]: INFO [sshd]
> Found 113.195.145.70
> >
> > ... then about a minute later...
> >
> > 2015-06-24 04:35:07,931 fail2ban.actions [3210]: NOTICE [sshd]
> Ban 113.195.145.70
> >
> > ... then about 6 minutes later...
> >
> > 2015-06-24 04:41:25,105 fail2ban.actions [3210]: NOTICE [sshd]
> 113.195.145.70 already banned
> > 2015-06-24 04:41:42,704 fail2ban.filter [3210]: INFO
> [pam-generic] Found 113.195.145.70
> > 2015-06-24 04:41:42,720 fail2ban.filter [3210]: INFO
> [pam-generic] Found 113.195.145.70
> > 2015-06-24 04:41:42,720 fail2ban.filter [3210]: INFO
> [pam-generic] Found 113.195.145.70
>
> Was the IP unbanned during the missing logs?
>
No
>
> >
> > I see this a lot, not any one jail. Is this because of the threaded
> nature of fail2ban that it is queuing up things to another thread?
>
> The last three lines above are from a different jail, pam-generic. Does
> that jail ban the IP as well?
>
Yes pam-generic uses iptables-allports. But with only 3 hits, it hasn't
yet hit the maxretry (which I have set to 9) to get banned a second time.
> >
> > When I see Already Banned, it makes me wonder if it didn't really ban it
> the first time.
> >
> > Here's a second example that plays itself out over a half hour:
>
> I don't see a half hour here, apache-noscript and apache-badbots are
> different jails. Assuming they block the same ports, the bantime could have
> easily expired between the first log and second log ~22 minutes later. Are
> you filtering out fail2ban log lines?
>
My ban time is 90 days, so it most definitely did not expire.
What do you mean by am I filtering out fail2ban log lines? I'm not running
fail2ban on the fail2ban.log itself. fail2ban doesn't put any lines back
into the other log files like the apache error log. So I'm not sure what
you're referring to here.
>
> Assuming you have a larger maxretry (you increased it for sshd), the ~3
> minutes before the first apache-badbots banning 192.111.146.34 seems
> reasonable, as those requests seem to have been spread out over that time -
> although you haven't provided the Apache access log to correlate.
>
> >
> > 2015-06-24 04:34:26,785 fail2ban.actions [3210]: NOTICE
> [apache-noscript] Ban 192.111.146.34
> > 2015-06-24 04:56:07,436 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:07,436 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:12,921 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:13,589 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:13,589 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:14,088 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:56:14,089 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:57:26,894 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:57:26,894 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:58:45,453 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:09,863 fail2ban.actions [3210]: NOTICE
> [apache-badbots] Ban 192.111.146.34
> > 2015-06-24 04:59:15,940 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,778 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,779 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:21,780 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 04:59:55,517 fail2ban.actions [3210]: NOTICE
> [apache-badbots] 192.111.146.34 already banned
> > 2015-06-24 04:59:57,451 fail2ban.actions [3210]: NOTICE
> [apache-badbots] 192.111.146.34 already banned
> > 2015-06-24 04:59:59,457 fail2ban.actions [3210]: NOTICE
> [apache-badbots] 192.111.146.34 already banned
> > 2015-06-24 05:00:00,579 fail2ban.actions [3210]: NOTICE
> [apache-badbots] 192.111.146.34 already banned
> > 2015-06-24 05:06:55,620 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 05:06:55,621 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 05:06:55,622 fail2ban.filter [3210]: INFO
> [apache-badbots] Found 192.111.146.34
> > 2015-06-24 05:06:56,665 fail2ban.actions [3210]: NOTICE
> [apache-badbots] 192.111.146.34 already banned
> >
>
> I'd suggest pulling your Apache logs and correlating them with the "Found"
> logs above to get a better sense of timing differences. Your previous post
> regarding apache-fakegooglebot indicated things were slow as well. Without
> system specific information it is very difficult to help diagnose a
> performance issue. Looking at log file sizes, jail backend used, fail2ban
> process information can also be helpful.
>
My apache logs are split out by virtual host. I have many apache log
files. I wonder if this causing a problem. I have this:
apache_error_log = /var/log/apache2/*error.log
/home/www/*/log/error_log
apache_access_log = /var/log/apache2/*access.log
/home/www/*/log/access_log
I have gone back to the logs. I can correlate these lines with actual log
entry lines in the various logs.
In thinking about this, does the above create a thread per log file? My
current fail2ban has 33 threads. There are 26 apache access and error logs
on this system. There does seem to be about or exactly 33 different files
fail2ban is looking at. Hmm.
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
