fail2ban's actions are in /etc/fail2ban/action.d/
filters are in /etc/fail2ban/filter.d/
You seem to be missing the filter for [recidive]
Have you looked at: https://www.dghost.com/techno/internet/the-power-of-fail2ban
[recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ;
1 day maxretry = 5
Bill
On 11/26/2017 11:28 AM, Yusui Tomikawa wrote:
Hello,
> Post your jail config section for [recidive] and your 'iptables-allports'
action.
[recidive] section are as follows and I could not find configuration for
'iptables-allports'... Where is it?
[recidive]
logpath = /var/log/fail2ban.log
banaction = iptables-allports
bantime = 1209600 ; 2 weeks
findtime = 604800 ; 1 week
maxretry = 3
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
> Is XX.XX.XX.XX in
> 2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive] Ban
XX.XX.XX.XX
> an obfuscated public IP address?
Yes. XX.XX.XX.XX is a public IP address which should be blocked.
> Why are your log file entries out of order?
Fail2ban.log seems to be in order like this but log entries are not in order
with unknown reason...
2017-11-14 20:18:36,788 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-14 20:18:36,797 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-14 20:18:36,809 fail2ban.filter [641]: INFO [pam-generic]
Found XX.XX.XX.XX
2017-11-14 20:18:38,902 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-14 20:18:40,981 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-14 20:18:42,979 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE [sshd] Ban
XX.XX.XX.XX
2017-11-14 20:18:43,889 fail2ban.filter [641]: INFO [recidive] Found
XX.XX.XX.XX
2017-11-14 20:18:44,111 fail2ban.actions [641]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport'
info 'CallingMap({'time': 1510690723.8871074, 'matches': 'Nov 14 20:18:36 okapi sshd[27019]: Invalid user belltcg from
XX.XX.XX.XX\nNov 14 20:18:36 okapi sshd[27019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=XX.XX.XX.XX\nNov 14 20:18:38 okapi sshd[27019]: Failed password for invalid user belltcg from XX.XX.XX.XX port
47689 ssh2\nNov 14 20:18:40 okapi sshd[27019]: Failed password for invalid user belltcg from XX.XX.XX.XX port 47689 ssh2\nNov
14 20:18:42 okapi sshd[27019]: Failed password for invalid user belltcg from 104.236.129.6 port 47689 ssh2', 'ipfailures':
<function Actions.__checkBan.<locals>.<lambda> at 0x7fa01e843840>, 'ipjailfailures': <function
Actions.__checkBan.<locals>.<lambda> at 0x7fa01e843f28>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at
0x7fa01e843b70>, 'failures': 5, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01e8436a8>, 'ip':
'XX.XX.XX.XX'})': Error stopping action
2017-11-15 20:18:43,929 fail2ban.actions [641]: NOTICE [sshd] Unban
XX.XX.XX.XX
2017-11-15 20:18:44,156 fail2ban.actions [641]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport'
info '{'time': 1510690723.8871074, 'failures': 5, 'matches': 'Nov 14 20:18:36 okapi sshd[27019]: Invalid user belltcg from
XX.XX.XX.XXNov 14 20:18:36 okapi sshd[27019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=XX.XX.XX.XXNov 14 20:18:38 okapi sshd[27019]: Failed password for invalid user belltcg from XX.XX.XX.XX port
47689 ssh2Nov 14 20:18:40 okapi sshd[27019]: Failed password for invalid user belltcg from XX.XX.XX.XX port 47689 ssh2Nov 14
20:18:42 okapi sshd[27019]: Failed password for invalid user belltcg from XX.XX.XX.XX port 47689 ssh2', 'ip': 'XX.XX.XX.XX'}':
Error stopping action
2017-11-16 07:59:01,109 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-16 07:59:01,114 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-16 07:59:01,115 fail2ban.filter [641]: INFO [pam-generic]
Found XX.XX.XX.XX
2017-11-16 07:59:03,066 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-16 07:59:05,012 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-16 07:59:06,918 fail2ban.filter [641]: INFO [sshd] Found
XX.XX.XX.XX
2017-11-16 07:59:06,944 fail2ban.actions [641]: NOTICE [sshd] Ban
XX.XX.XX.XX
2017-11-16 07:59:06,949 fail2ban.filter [641]: INFO [recidive] Found
XX.XX.XX.XX
2017-11-16 07:59:07,165 fail2ban.actions [641]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport'
info 'CallingMap({'time': 1510819146.9440994, 'matches': 'Nov 16 07:59:01 okapi sshd[3714]: Invalid user admin from
XX.XX.XX.XX\nNov 16 07:59:01 okapi sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=XX.XX.XX.XX\nNov 16 07:59:03 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794
ssh2\nNov 16 07:59:05 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2\nNov 16
07:59:06 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2', 'ipfailures': <function
Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b79d8>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at
0x7fa01c6b7488>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b76a8>, 'failures': 5,
'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7950>, 'ip': 'XX.XX.XX.XX'})': Error stopping action
2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive] Ban
XX.XX.XX.XX
2017-11-16 07:59:07,671 fail2ban.actions [641]: ERROR Failed to execute ban jail 'recidive' action
'iptables-allports' info 'CallingMap({'time': 1510819147.4490871, 'matches': '2017-11-12 03:23:00,898 fail2ban.actions
[641]: NOTICE [sshd] Ban XX.XX.XX.XX\n2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE [sshd] Ban
XX.XX.XX.XX\n2017-11-16 07:59:06,944 fail2ban.actions [641]: NOTICE [sshd] Ban XX.XX.XX.XX', 'ipfailures': <function
Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7488>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at
0x7fa01c6b79d8>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7950>, 'failures': 3,
'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error stopping action
2017-11-17 07:59:07,179 fail2ban.actions [641]: NOTICE [sshd] Unban
XX.XX.XX.XX
2017-11-17 07:59:07,406 fail2ban.actions [641]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport'
info '{'time': 1510819146.9440994, 'failures': 5, 'matches': 'Nov 16 07:59:01 okapi sshd[3714]: Invalid user admin from
XX.XX.XX.XXNov 16 07:59:01 okapi sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=XX.XX.XX.XXNov 16 07:59:03 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2Nov
16 07:59:05 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2Nov 16 07:59:06 okapi
sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2', 'ip': 'XX.XX.XX.XX'}': Error stopping action
2017-11-27 0:37 GMT+09:00 Bill Shirley <bshir...@openmri-scottsboro.com
<mailto:bshir...@openmri-scottsboro.com>>:
Post your jail config section for [recidive] and your 'iptables-allports'
action.
Is XX.XX.XX.XX in
2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive]
Ban XX.XX.XX.XX
an obfuscated public IP address?
Why are your log file entries out of order?
Bill
On 11/26/2017 8:54 AM, Smart Goldman wrote:
Hello.
I often got fail2ban's error mails like this:
2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive] Ban
XX.XX.XX.XX
2017-11-16 07:59:07,671 fail2ban.actions [641]: ERROR Failed to
execute ban jail 'recidive' action
'iptables-allports' info 'CallingMap({'time': 1510819147.4490871,
'matches': '2017-11-12 03:23:00,898 fail2ban.actions
[641]: NOTICE [sshd] Ban XX.XX.XX.XX
2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE [sshd] Ban
XX.XX.XX.XX
2017-11-16 07:59:06,944 fail2ban.actions [641]: NOTICE [sshd] Ban
XX.XX.XX.XX', 'ipfailures': <function
Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7488>, 'ipjailfailures': <function
Actions.__checkBan.<locals>.<lambda>
at 0x7fa01c6b79d8>, 'ipmatches': <function
Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7950>, 'failures': 3,
'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at
0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error
stopping action
It means failure of IP ban?
How can I fix this error?
OS: Ubuntu 16.04 LTS
Thank you.
Yusui
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
