It could be your ignoreip preventing the ban or not enough hits (maxretry) within findtime. It also could be that all those hits are from the same IP address (not likely thought).
Post your jail. Bill On 4/10/2016 9:36 PM, jaso...@mail-central.com wrote: > I'm running f2b > > I've tested my match-and-populate-ipset config > > fail2ban-regex -vv \ > /var/log/postfix/postfix.log \ > /etc/fail2ban/filter.d/my-postfix-ipset.conf > > which shows an moderate expected number of matches > > Results > ======= > > Failregex: 173 total > ... > Lines: 204773 lines, 0 ignored, 173 matched, 204600 missed > [processed in 14.68 sec] > > Missed line(s): too many to print. Use --print-all-missed to print all > 204600 lines > > > When I launch f2b service, running from systemd, I see this is logs > > ... > 2016-04-10 18:03:31,439 fail2ban.filter [7922]: DEBUG > Processing line with time:1460336611.0 and ip:88.199.175.11 > 2016-04-10 18:03:31,439 fail2ban.filter [7922]: INFO > [my-postfix-ipset] Found 88.199.175.11 > 2016-04-10 18:03:31,439 fail2ban.failmanager [7922]: DEBUG Total # > of detected failures: 68. Current failures from 7 IPs (IP:count): > 84.61.149.81:1, 192.94.73.17:1, 88.199.175.11:1, 168.144.32.46:1, > 64.90.191.10:1, 80.17.38.39:1, 195.154.82.115:1 > 2016-04-10 18:03:31,439 fail2ban.datedetector [7922]: DEBUG Matched > time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: > Year)? > 2016-04-10 18:03:31,439 fail2ban.datedetector [7922]: DEBUG Got > time 1460336611.000000 for "'Apr 10 18:03:31'" using template (?:DAY )?MON > Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? > 2016-04-10 18:03:31,441 fail2ban.datedetector [7922]: DEBUG Sorting > the template list > > and then log output just seems to repeat and endless # of the same date match > > 2016-04-10 18:03:31,439 fail2ban.datedetector [7922]: DEBUG Got > time 1460336611.000000 for "'Apr 10 18:03:31'" using template (?:DAY )?MON > Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? > > > If I check the ipset at this point, > > ipset -L f2b-Ip > Name: f2b-Ip > Type: hash:ip > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 timeout 3600 > Size in memory: 224 > References: 0 > Members: > 88.199.175.11 timeout 604649 > > I see only ONE ip blocked. That IP *should* be blocked, but so should lots > of others. > > I'm not sure what to debug here, since my loglevel=DEBUG logs just stop. > > Any help on how to start to find the problem? > > Jason > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ > gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
