On 9/18/2020 2:50 PM, Robert Kudyba wrote:
2020-09-18 14:09:16,544 fail2ban.actions [69632]: WARNING [sshd]
198.144.184.32 already banned
2020-09-18 14:15:24,663 fail2ban.actions [69632]: WARNING
[sshd] 198.144.184.32 already banned
First, why is pan-generic being triggered only once? Then, how is this
"already banned" showing, if, well, the IP is already banned?
I can't say about pam-generic, but the ip addresses already being banned
is because of disk caching. Fail2ban physically reads the logs, but
Linux caches reads and writes. So there could be five or six attempts
that are in the cache but not actually sent to the log files yet when
F2B notices enough entries to trigger a ban. After it bans, then the
other entries get written to disk, and F2B sees them, starts to act on
them, then notices that the address is already banned. So it prints the
warning because as far as it knows the ban is in place but it's possible
that something altered the IPTables rule list and allowed the offending
host to connect again.
--
--- Dan
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
