Re: [Fail2ban-users] F2b incorrectly reporting banned

Dan Egli Sat, 08 May 2021 15:38:26 -0700

On 5/8/2021 1:30 PM, Nick Howitt wrote:

On 08/05/2021 20:22, Dan Egli wrote:
On 5/8/2021 12:36 PM, Nick Howitt wrote:
On 08/05/2021 19:03, Dan Egli wrote:
Okay, something is up here. I'm still getting hammered by these idiots who are querying pizzaseo.com from my name server. So I looked at the list of banned IPs using iptables-save. Not that many. But when I was working on this I had a kludge script that would be run every 10 minutes, grep the logs, and insert an IPTables rule against anyone who was querying that domain. It also kept a list. That list is nearly 400 IPs long! So I was curious. I look at fail2ban.log. It's noticing everything okay, but it keeps saying the hosts are already banned. They are not. So how do I fix this? Here's an example of what I mean:
# grep -c 2.169.102.71 /var/log/named/named.log
6029

# iptables-save | grep 2.169.102.71
<nothing>

# grep 2.169.102.71 /var/log/fail2ban.log | grep -c already
1454I don't know if f2b's database is screwed up or what. I tried using fail2ban-client unban 2.169.102.71 to see if by unbanning it f2b would re-add it to the database. But it doesn't happen. I've never tried an unban before, so I don't know what the normal output is, but all I see is a 1 by itself, with a return code of 0.
I can go back to my kludge script for now, but I'd really like to get f2b working!
So what does the f2b log show? perhaps try restarting it and watch for errors. If the IP is showing banned in the logs, what does the firewall show?
Exactly as I showed above. iptables-save does not show a single entry for that IP. The named log shows over 6000 entries for that IP. Fail2ban shows it getting detected repeatedly, and then saying it is already banned. Let me give an example:
tail -f /var/log/fail2ban.log
2021-05-08 13:18:38,288 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,290 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,575 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:40,505 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40 2021-05-08 13:18:40,506 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40
jupiter ~ # iptables-save | grep 3.204.48.235
jupiter ~ #


Okay, if it's already banned, why isn't it showing in iptables-save?
That is why I saif to restart f2b. You should then see in the logs what it is trying to re-ban.
I don't use iptables-save and prefer "iptables -nvL"

I perfer iptables-save because iptables -nvL doesn't show WHICH table/chain a rule belongs to, only that it's there. I like to know where each filter rule in iptables actually is.


So, here's what I did:
1) stop fail2ban
2) truncate the fail2ban logfile, so it's empty and easier to read

3) reset IPTables to the default rule set I have defined before fail2ban (blocking unused ports)

4) start fail2ban
5) tail the log file

So after doing that, when I look at the log I see a LOT of the same address being listed/found. I do not see anything about trying to re-ban. Here's a partial output (still long). I'll put the entire fail2ban.log on my webserver https://www.newideatest.site/fail2ban.log.

2021-05-08 14:23:56,364 fail2ban.filter [16526]: INFO Added logfile: '/var/log/sogo/sogod.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709) 2021-05-08 14:23:56,366 fail2ban.jail [16526]: INFO Jail 'sshd' started 2021-05-08 14:23:56,368 fail2ban.jail [16526]: INFO Jail 'selinux-ssh' started 2021-05-08 14:23:56,370 fail2ban.jail [16526]: INFO Jail 'apache-badbots' started 2021-05-08 14:23:56,371 fail2ban.jail [16526]: INFO Jail 'apache-overflows' started 2021-05-08 14:23:56,373 fail2ban.jail [16526]: INFO Jail 'apache-nohome' started 2021-05-08 14:23:56,374 fail2ban.jail [16526]: INFO Jail 'apache-botsearch' started 2021-05-08 14:23:56,375 fail2ban.jail [16526]: INFO Jail 'apache-fakegooglebot' started 2021-05-08 14:23:56,377 fail2ban.jail [16526]: INFO Jail 'apache-modsecurity' started 2021-05-08 14:23:56,378 fail2ban.jail [16526]: INFO Jail 'php-url-fopen' started 2021-05-08 14:23:56,379 fail2ban.jail [16526]: INFO Jail 'sogo-auth' started 2021-05-08 14:23:56,380 fail2ban.jail [16526]: INFO Jail 'dovecot' started 2021-05-08 14:23:56,380 fail2ban.jail [16526]: INFO Jail 'sieve' started 2021-05-08 14:23:56,383 fail2ban.jail [16526]: INFO Jail 'exim' started 2021-05-08 14:23:56,385 fail2ban.jail [16526]: INFO Jail 'exim-spam' started 2021-05-08 14:23:56,395 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,397 fail2ban.jail [16526]: INFO Jail 'named-refused' started 2021-05-08 14:23:56,397 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,398 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,398 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,399 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,399 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,400 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,400 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,400 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,401 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,401 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,402 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,402 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,402 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,403 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:00 2021-05-08 14:23:56,403 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,403 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,404 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,405 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,405 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,405 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,406 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,406 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,407 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,407 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,407 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,408 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,408 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,409 fail2ban.jail [16526]: INFO Jail 'mysqld-auth' started 2021-05-08 14:23:56,409 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,410 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,410 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,411 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,411 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,411 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,412 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,412 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,413 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,413 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,413 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,414 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,414 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,414 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,415 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,415 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,425 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,426 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,428 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,428 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,429 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,429 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,430 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,430 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,428 fail2ban.jail [16526]: INFO Jail 'recidive' started 2021-05-08 14:23:56,430 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,431 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,431 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,432 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,432 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,433 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,433 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,433 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,434 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,434 fail2ban.filter [16526]: INFO [named-refused] Found 2.169.102.101 - 2021-05-08 14:23:01 2021-05-08 14:23:56,435 fail2ban.filter [16526]: INFO [named-refused] Found 2.208.13.7 - 2021-05-08 14:23:02 2021-05-08 14:23:56,435 fail2ban.filter [16526]: INFO [named-refused] Found 2.208.13.7 - 2021-05-08 14:23:02 2021-05-08 14:23:56,435 fail2ban.filter [16526]: INFO [named-refused] Found 2.208.13.7 - 2021-05-08 14:23:02 2021-05-08 14:23:56,444 fail2ban.filter [16526]: INFO [named-refused] Found 2.208.13.7 - 2021-05-08 14:23:02 2021-05-08 14:23:56,445 fail2ban.filter [16526]: INFO [named-refused] Found 2.208.13.7 - 2021-05-08 14:23:02

[truncated]

After a couple of minutes, I tried a quick grep to see if any new bans were being added:

# grep banned /var/log/fail2ban.log | grep -vc already
0

--
Dan Egli
From my Test Server

OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] F2b incorrectly reporting banned

Reply via email to