Re: [Fail2ban-users] recidive jail set, but IP still gets in

Tue, 07 Jul 2020 10:37:21 -0700
This can happen if there is still an active connection with the jailed IP. f2b only affects future, new connections. 


At 06:32 AM 7/7/2020, Yassine Chaouche wrote:


Let us examine what f2b logs for 185.143.72.27 say :

1. Is is banned/unbanned by postfix-sasl 4 times


2. on the fifth occurence, it is first banned by the postfix-sasl 
jail then by the recidive jail. Curiously, the recidive jail doesn't 
detect that it has already been banned before. Maybe because each 
ban is related to a jail. Since the recidive jail hasn't seen this 
IP before, it bans it.



3. After 10 minutes, the ban set by postfix-sasl expires, and that 
jail unbans the IP, cancelling the recidive jail ban ?


I have emphasized the three relevant lines in the following trace :

root@messagerie[10.10.10.19] ~ # grep 185.143.72.27 /var/log/fail2ban.log

2020-07-05 12:12:37,533 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 12:22:38,527 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 12:24:55,901 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 12:34:55,998 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 12:37:03,268 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 12:47:03,314 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 12:49:12,632 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 12:59:12,706 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 13:01:18,973 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 13:01:19,652 fail2ban.actions[42541]: WARNING [recidive] 
Ban 185.143.72.27
2020-07-05 13:11:19,015 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 13:13:33,249 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 13:23:33,293 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 13:25:51,567 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 13:35:51,662 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 13:38:02,928 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 13:48:03,009 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 13:50:10,287 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 14:00:10,335 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Unban 185.143.72.27
2020-07-05 14:02:16,520 fail2ban.actions[42541]: WARNING 
[postfix-sasl] Ban 185.143.72.27
2020-07-05 14:02:17,073 fail2ban.actions[42541]: INFO    [recidive] 
185.143.72.27 already banned




Yassine

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users























					Reply via email to