[Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

Sun, 10 Apr 2016 18:39:26 -0700 

I'm running f2b

I've tested my match-and-populate-ipset config

        fail2ban-regex -vv \
        /var/log/postfix/postfix.log \
        /etc/fail2ban/filter.d/my-postfix-ipset.conf

which shows an moderate expected number of matches

        Results
        =======

        Failregex: 173 total
        ...
        Lines: 204773 lines, 0 ignored, 173 matched, 204600 missed
        [processed in 14.68 sec]

        Missed line(s): too many to print.  Use --print-all-missed to print all 
204600 lines


When I launch f2b service, running from systemd, I see this is logs

        ...
        2016-04-10 18:03:31,439 fail2ban.filter         [7922]: DEBUG   
Processing line with time:1460336611.0 and ip:88.199.175.11
        2016-04-10 18:03:31,439 fail2ban.filter         [7922]: INFO    
[my-postfix-ipset] Found 88.199.175.11
        2016-04-10 18:03:31,439 fail2ban.failmanager    [7922]: DEBUG   Total # 
of detected failures: 68. Current failures from 7 IPs (IP:count): 
84.61.149.81:1, 192.94.73.17:1, 88.199.175.11:1, 168.144.32.46:1, 
64.90.191.10:1, 80.17.38.39:1, 195.154.82.115:1
        2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Matched 
time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
        2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Got 
time 1460336611.000000 for "'Apr 10 18:03:31'" using template (?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
        2016-04-10 18:03:31,441 fail2ban.datedetector   [7922]: DEBUG   Sorting 
the template list

and then log output just seems to repeat and endless # of the same date match

        2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Got 
time 1460336611.000000 for "'Apr 10 18:03:31'" using template (?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: Year)?


If I check the ipset at this point,

        ipset -L f2b-Ip
                Name: f2b-Ip                                                    
                                                                                
                                             
                Type: hash:ip                                                   
                                                                                
                                             
                Revision: 4
                Header: family inet hashsize 1024 maxelem 65536 timeout 3600
                Size in memory: 224
                References: 0
                Members:
                88.199.175.11 timeout 604649

I see only ONE ip blocked.  That IP *should* be blocked, but so should lots of 
others.

I'm not sure what to debug here, since my loglevel=DEBUG logs just stop.

Any help on how to start to find the problem?

Jason

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to