Hi - ah, I think Fail2Ban isn't logging enough information. You need a bit
more information to help work this out.
Right now, f2b is logging "actions", but we also need it to log a bit more
- so we can sort through the issue of which specific log entries it is
"finding".
You can check by running *fail2ban-client get loglevel* - I suspect it will
come back as "Current logging level is 'WARN'".
This is the sort of log file we need:
2017-09-04 07:50:33,473 fail2ban.filter [2469]: INFO [sshd]
Found 1.2.3.4 - 2017-09-04 07:50:35
2017-09-04 07:50:49,312 fail2ban.filter [2469]: INFO [sshd]
Found 1.2.3.4 - 2017-09-04 07:50:52
2017-09-04 07:50:54,180 fail2ban.filter [2469]: INFO [sshd]
Found 1.2.3.4 - 2017-09-04 07:50:57
2017-09-04 07:51:35,674 fail2ban.filter [2469]: INFO [sshd]
Found 1.2.3.4 - 2017-09-04 07:51:38
2017-09-04 07:51:39,536 fail2ban.filter [2469]: INFO [sshd]
Found 1.2.3.4 - 2017-09-04 07:51:41
2017-09-04 07:51:40,023 fail2ban.actions [2469]: NOTICE [sshd] Ban
1.2.3.4
That is from my fail2ban.log - it is showing me the exact time and date of
each log entry that it's found. On the right, the date and time is the
actual date and time of the log entries /var/log/secure.
This is useful because it shows us exactly what f2b is seeing - it shows us
what is leading up to the bans you're talking about. For your dovecot-long
jail, you would expect to see at least 10 'found' entries in fail2ban.log
for the IP that gets banned.
Remember, we are not talking about the actual dovecot log file, we are
talking about what fail2ban thinks it is seeing in the log file. We need to
know what is making fail2ban make the decision to ban the IP address.
What I think will help is for you to run this command:
*fail2ban-client set loglevel info*
This will make f2b log the sort of detail I showed above. It won't help
right now, but what you can do is wait til you see an IP address being
banned when it shouldn't be. Then, grep for that IP address and you should
see more helpful information.
Once you have that information, send it to the group and we will hopefully
be able to help you more.
It looks like your configuration is good - you obviously know what you're
doing, so I do think it is related to how the log files are
monitored/backed up/rotated/saved.
Once you've increased the logging level, hopefully we will have a much
clearer picture of what's happening.
I'm not sure if I'm sending this to the right address - I got two copies of
your reply, so I hope I'm sending it to the right list!
Tony Collins
On 3 September 2017 at 11:07, chaouche yacine <yacinechaou...@yahoo.com>
wrote:
> Thanks Tony for your answer and sorry for late reply.
>
> My original message contained a zgrep command on fail2ban logs with only
> one entry. Now it has two entries (the ban and the unban) :
>
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 221.228.229.49
> /var/log/fail2ban.log*
> /var/log/fail2ban.log:2017-08-31 01:49:50,512 fail2ban.actions[10631]:
> WARNING [dovecot-long] Unban 221.228.229.49
> /var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]:
> WARNING [dovecot-long] Ban 221.228.229.49
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
>
> So dovecot-long is the jail that was activated.
>
>
> > Often, when this has happened to me it's related to rotating of log
> files
>
> Indeed, I remember I didn't have a logrotate rule for dovecot.log. It got
> to 200Mb+. I then created a rule for it and rotated it while fail2ban was
> running (I guess), which could have caused this behaviour. It didn't happen
> again so I think this is what could have caused it.
>
> > But you've only got "dovecot.log" as your logpath in your jail conf,
>
> Yes, it gets copied to dovecot.log.1 and the original is truncated. Maybe
> this is why fail2ban acts strangely.
>
> Yassine.
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
