Re: [Fail2ban-users] already banned IP showing over and over in fail2ban.log, recidive not triggered?

Dominic Raferd Wed, 11 Mar 2020 11:29:16 -0700

On Wed, 11 Mar 2020 at 18:13, Robert Kudyba <rkud...@fordham.edu> wrote:


> Why would the recidive jail not be picking up on this IP? See the jail
> settings at the end.
>
> 2020-03-11 11:14:29,382 fail2ban.actions        [1539290]: WARNING
> [pam-generic] 150.136.217.144 already banned
> 2020-03-11 11:14:30,602 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:30
> 2020-03-11 11:14:31,140 fail2ban.actions        [1539290]: WARNING [sshd]
> 150.136.217.144 already banned
> 2020-03-11 11:14:31,352 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:30
> 2020-03-11 11:14:31,356 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:30
> 2020-03-11 11:14:33,316 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:33
> 2020-03-11 11:14:33,318 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:33
> 2020-03-11 11:14:33,604 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:33
> 2020-03-11 11:14:36,352 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:35
> 2020-03-11 11:14:38,559 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:38
> 2020-03-11 11:14:38,602 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:38
> 2020-03-11 11:14:38,796 fail2ban.actions        [1539290]: WARNING
> [pam-generic] 150.136.217.144 already banned
> 2020-03-11 11:14:39,152 fail2ban.actions        [1539290]: WARNING [sshd]
> 150.136.217.144 already banned
> 2020-03-11 11:14:40,352 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:40
> 2020-03-11 11:14:40,852 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:40
> 2020-03-11 11:14:40,856 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:40
> 2020-03-11 11:14:43,061 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:42
> 2020-03-11 11:14:43,063 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:43
> 2020-03-11 11:14:43,603 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:43
> 2020-03-11 11:14:45,352 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:45
> 2020-03-11 11:14:45,852 fail2ban.filter         [1539290]: INFO    [sshd]
> Found 150.136.217.144 - 2020-03-11 11:14:45
> 2020-03-11 11:14:45,856 fail2ban.filter         [1539290]: INFO
>  [pam-generic] Found 150.136.217.144 - 2020-03-11 11:14:45
>
>
> [DEFAULT]
> bantime = 3600
> sender = root
>
> #action = %(action_mwl)s
> action = %(action_)s
> #backend = polling
> #default_backend = polling
> mta = sendmail
> loglevel = DEBUG
> backend = auto
> banaction = firewallcmd-ipset
> #banaction_allports = firewallcmd-ipset
> [sshd]
> filter = sshd[mode=aggressive]
> #filter = sshd
> enabled = true
> logpath  = /var/log/secure
> port    = ssh,sftp
>
> [pam-generic]
> enabled  = true
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter   = pam-generic
> # port actually must be irrelevant but lets leave it all for some possible
> uses
> port     = all
> #banaction = iptables-allports
> #port     = anyport
> backend  = pyinotify
> logpath  = /var/log/secure
> maxretry = 3
>
>
> [recidive]
> enabled  = true
> filter   = recidive
> logpath  = /var/log/fail2ban.log
>            /var/log/fail2ban.log-[!.gz]
> banaction = firewallcmd-ipset
> action =   badips[category="ssh", key="xxxx"]
> bantime   =  -1 ; permanent
> findtime = 86400   ; 1 day
> maxretry = 3
>

As I read it none of the events in your log are bans - so recidive would
ignore them. Here are some ban examples:
2020-03-11 14:03:28 streamingbats fail2ban.actions        [1179]: NOTICE
 [apache] Ban 5.101.0.209
2020-03-11 14:11:11 streamingbats fail2ban.actions        [1179]: NOTICE
 [postfix] Ban 212.200.118.98
2020-03-11 14:11:11 streamingbats fail2ban.actions        [1179]: NOTICE
 [recidive] Ban 212.200.118.98

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] already banned IP showing over and over in fail2ban.log, recidive not triggered?

Reply via email to