Re: [Fail2ban-users] recidive jail set, but IP still gets in

Tue, 07 Jul 2020 04:35:38 -0700 

Let us examine what f2b logs for 185.143.72.27 say : 

1. Is is banned/unbanned by POSTFIX-SASL 4 times 

2. on the fifth occurence, it is first banned by the POSTFIX-SASL jail
then by the RECIDIVE jail. Curiously, the RECIDIVE jail doesn't detect
that it has already been banned before. Maybe because each ban is
related to a jail. Since the RECIDIVE jail hasn't seen this IP before,
it bans it. 

3. After 10 minutes, the ban set by POSTFIX-SASL expires, and that jail
unbans the IP, cancelling the RECIDIVE jail ban ? 

I have emphasized the three relevant lines in the following trace : 

root@messagerie[10.10.10.19] ~ # grep 185.143.72.27
/var/log/fail2ban.log
2020-07-05 12:12:37,533 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 12:22:38,527 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 12:24:55,901 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 12:34:55,998 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 12:37:03,268 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 12:47:03,314 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 12:49:12,632 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 12:59:12,706 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 13:01:18,973 FAIL2BAN.ACTIONS[42541]: WARNING [POSTFIX-SASL]
BAN 185.143.72.27
2020-07-05 13:01:19,652 FAIL2BAN.ACTIONS[42541]: WARNING [RECIDIVE] BAN
185.143.72.27
2020-07-05 13:11:19,015 FAIL2BAN.ACTIONS[42541]: WARNING [POSTFIX-SASL]
UNBAN 185.143.72.27
2020-07-05 13:13:33,249 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 13:23:33,293 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 13:25:51,567 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 13:35:51,662 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 13:38:02,928 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 13:48:03,009 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 13:50:10,287 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 14:00:10,335 fail2ban.actions[42541]: WARNING [postfix-sasl]
Unban 185.143.72.27
2020-07-05 14:02:16,520 fail2ban.actions[42541]: WARNING [postfix-sasl]
Ban 185.143.72.27
2020-07-05 14:02:17,073 fail2ban.actions[42541]: INFO    [recidive]
185.143.72.27 already banned 

Yassine
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to