Re: [Fail2ban-users] urban still happening when recidive bantime = -1

Tom Hendrikx Thu, 17 Aug 2017 02:12:32 -0700

On 16-08-17 15:46, Robert Kudyba wrote:
> We are using the custom-firewalld
> at https://github.com/fail2ban/fail2ban/issues/1474#issuecomment-272659488.
> You can see from the logs below that unbans are still happening even
> though bantime  = -1. This is Fedora 26  rpm -q fail2ban:
> fail2ban-0.9.7-2.fc26.noarch. Here are the related jail.local options
> and log snips. Is there some overlap with the ‘findtime' value?
> 
> bantime = 3600
> sender = fail2ban
> action = custom-firewalld
> backend = auto
> mta = sendmail
> 
> #[Definition]
> 
> [sshd]
> enabled = true
> filter   = sshd
> logpath  = /var/log/secure


bantime unset, so default value of 3600 applies

> 
> [sshd-ddos]
> enabled = true
> #port    = ssh,sftp
> filter = sshd-ddos
> logpath  = /var/log/secure
> maxretry = 5
> 
> [pam-generic]
> enabled  = true
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter   = pam-generic
> # port actually must be irrelevant but lets leave it all for some
> possible uses
> port     = all
> banaction = iptables-allports
> logpath  = /var/log/secure
> maxretry = 3
> 
> [recidive]
> enabled  = true
> filter   = recidive
> logpath  = /var/log/fail2ban.log
> action   = custom-firewalld[name=recidive]
>            sendmail-whois-lines[name=recidive,
> logpath=/var/log/fail2ban.log]
> bantime  = -1 ; forever
> findtime = 86400   ; 1 day
> maxretry = 5

bantime set, -1 applies

> 
>  cat /var/log/fail2ban.log| grep 164.215.170.34
> 2017-08-15 16:41:26,524 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:26,530 fail2ban.filter         [1996]: INFO   
> [pam-generic] Found *164.215.170.34*
> 2017-08-15 16:41:26,534 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:29,132 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:31,763 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:35,006 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:35,744 fail2ban.actions        [1996]: NOTICE  [sshd]
> Ban *164.215.170.34*

sshd jail banned

> 2017-08-15 16:41:35,746 fail2ban.filter         [1996]: INFO   
> [recidive] Found *164.215.170.34*

recidive jail found, but not banned!

> 2017-08-15 16:41:36,811 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:39,525 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:42,563 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:45,622 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,273 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,277 fail2ban.filter         [1996]: INFO    [sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,527 fail2ban.actions        [1996]: NOTICE  [sshd]
> *164.215.170.34*already banned

sshd jail banned again

> 2017-08-15 17:41:35,914 fail2ban.actions        [1996]: NOTICE  [sshd]
> Unban *164.215.170.34*

sshd jail unbanned after 3600 seconds


recidive jail never banned this ip address, so no unbanning took place.
You mistook the sshd jail for the recidive jail.

Kind regards,
        Tom

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] urban still happening when recidive bantime = -1

Reply via email to