Re: [Fail2ban-users] IP's in recidive jail with bantime=-1 gets unbanned

Tom Hendrikx Wed, 23 Jan 2019 14:24:29 -0800

On 23-01-19 20:05, Robert Kudyba wrote:
> Is there something wrong with our configuration? Why would any IP that
> gets permanently banned get unbanned? jail.local is below, logs showing
> unban and recidive is as follows. Is there some overlap in the findtime
> option?


The sshd jail bans and unbans according to your configuration.

Your logging shows that the recidive jail found 3 tries. Configaion for
the recidive jail says you want to allow 5 retries before baning, so
there no ban yet for the recidive jail. Just like the logs tellyou: no
bans and no unbans for the recidive jail (yet).

Maybe you misunderstand how the recidive jail is supposed to work? Or
you misread the logs?

Kind regards,
        Tom



> 
> fail2ban-0.10.4-1.fc29.noarc>
> 2019-01-22 19:55:15,551 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 19:55:15,949 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 19:55:15
> 2019-01-22 21:15:15,134 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 2019-01-22 21:15:39,083 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 21:15:39
> 2019-01-22 21:15:41,154 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:40
> 2019-01-22 21:15:43,360 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:42
> 2019-01-22 21:15:47,368 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:46
> 2019-01-22 21:16:27,350 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 21:16:26
> 2019-01-22 21:16:29,439 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:28
> 2019-01-22 21:16:30,643 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:30
> 2019-01-22 21:16:33,250 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:32
> 2019-01-22 21:16:33,258 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 21:16:33,306 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 21:16:33
> 2019-01-22 22:36:32,835 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 2019-01-22 22:37:09,381 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 22:37:08
> 2019-01-22 22:37:11,387 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:10
> 2019-01-22 22:37:13,392 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:12
> 2019-01-22 22:37:17,202 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:16
> 2019-01-22 22:37:58,455 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 22:37:57
> 2019-01-22 22:37:59,662 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:59
> 2019-01-22 22:38:03,870 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:38:03
> 2019-01-22 22:38:07,077 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:38:06
> 2019-01-22 22:38:07,213 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 22:38:07,414 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 22:38:07
> 2019-01-22 23:58:06,298 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 
> jail.local
> [INCLUDES]
> #before = paths-distro.conf
> before = paths-fedora.conf
> 
> [DEFAULT]
> bantime = 4800
> sender = fail2ban
> destemail = root
> action = %(action_mwl)s
> ignoreip = 127.0.0.1 192.168.1.0/24 <http://192.168.1.0/24>
> mta = sendmail
> maxretry = 6
> backend  = polling
> [sshd]
> enabled = true
> filter = sshd[mode=aggressive]
> port = ssh
> logpath  = /var/log/secure*
> backend  = polling
> #journalmatch =
> banaction = iptables-multiport
> action = %(action_)s
> 
> [pam-generic]
> enabled  = true
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter   = pam-generic
> # port actually must be irrelevant but lets leave it all for some
> possible uses
> port     = all
> logpath  = /var/log/secure
> maxretry = 3
> backend  = polling
> 
> [sendmail-auth2]
> enabled  = true
> filter   = sendmail-auth2
> backend = polling
> action   = iptables-allports[name=sendmail-auth,port="smtp,smtps",
> protocol=tcp]
> logpath  = /var/log/maillog
> maxretry = 4
> 
> [recidive]
> enabled  = true
> filter   = recidive
> action   = iptables-allports[name=recidive]
>            sendmail-whois-lines[name=recidive, dest=root, sender=root,
> logpath=/var/log/fail2ban.log]
> bantime = -1
> #bantime  = 43200  ; 1 week
> findtime = 14400   ; 1 day
> maxretry = 5
> 
> 
> 
> 
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP's in recidive jail with bantime=-1 gets unbanned

Reply via email to