[Fail2ban-users] Fail2ban does not react (access_log log entries not in order)

Tue, 20 Oct 2015 03:57:08 -0700 

Hello list,

I started using fail2ban recently and I faced an issue last night. I
read FAQ, did some quick google search but couldn't find anything like
that. I apologize if I missed it (likely I did...).
We run a heavy CMS based site that can take up to few seconds to respond
sometimes, which leads to apache log entries not being stored in the
exact same order as opposed to the order of receiving these requests.
Last night we had some traffic that I would like to block, but fail2ban
did not pick it up. The filter seems to be defined properly, at least
fail2ban-regex displays expected results.

Related part from jail.local:
     [apache_nonstatic]

     enabled = true
     port = http,https
     filter = apache-nonstatic
     logpath = /var/log/virtualmin/*_access_log_nonstatic
     maxretry = 50
     findtime = 3


Partial output from fail2ban-regex:
      ...
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     5.196.241.216 (Mon Oct 19 23:18:43 2015)
     5.196.241.216 (Mon Oct 19 23:18:46 2015)
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     5.196.241.216 (Mon Oct 19 23:18:47 2015)
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     5.196.241.216 (Mon Oct 19 23:18:45 2015)
     5.196.241.216 (Mon Oct 19 23:18:49 2015)
     5.196.241.216 (Mon Oct 19 23:18:48 2015)
     5.196.241.216 (Mon Oct 19 23:18:45 2015)
     5.196.241.216 (Mon Oct 19 23:18:49 2015)
     ...

Every so often there is more than 3 seconds gap between two consecutive
log entries but that's only because of apache logging behavior. Sorted
output looks like  this:
     ...
     5.196.241.216 (Mon Oct 19 23:18:42 2015)
     5.196.241.216 (Mon Oct 19 23:18:42 2015)
     5.196.241.216 (Mon Oct 19 23:18:42 2015)
     5.196.241.216 (Mon Oct 19 23:18:42 2015)
     5.196.241.216 (Mon Oct 19 23:18:43 2015)
     5.196.241.216 (Mon Oct 19 23:18:43 2015)
     5.196.241.216 (Mon Oct 19 23:18:43 2015)
     5.196.241.216 (Mon Oct 19 23:18:43 2015)
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     5.196.241.216 (Mon Oct 19 23:18:44 2015)
     ...

And it looks the same during the entire time window when that IP was
scanning our site - multiple attempts every seconds, not even one second
gap (I'm not psting 400 lines here but I checked it carefully).

Is fail2ban able to handle such situations? Or should I look for a
configuration mistake somewhere else? Or maybe there is a way to make
apache log earlier so that the entries keep their order? Any hint will
be much appreciated.

BTW, fail2ban attempts to block various other scans every so often,
using the same filter and action and that ordering is the only
difference I was able to notice.

Thank you!

-- 
Leszek Eljasz

------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to