Re: [Fail2ban-users] "Already banned" makes no sense

Tue, 13 Jul 2021 01:08:29 -0700

It can also happen if you are detecting responses, e.g. with SMTP, if you are detecting messages like "Lost connection from ...." messages these can apear up to about 3 minutes after the initial contact was made so, for example if someone makes 10 connection attempts which get lost, your ban may be triggered after the 5th one, but there are still 5 more active connections which will eventually time out and, as the ban is already active at that point, you will get 5 already banned messages as well. These messages will obviously appear soon after the initial ban message. If the separation between the ban and already banned message is longer then you need your examine your jail 

On 13/07/2021 08:34, Tom Hendrikx wrote:


Hi,


Apparently the ip-address 'should' be banned according to fail2ban's 
internal administration, but there is still activity coming in, 
triggering new bans.



This can happen if your banning technique is broken, the configuration 
is broken, etc.



F.i. you could configure the apache jail to black all traffic to port 80 
using iptables. After some research, you'll notice that you also needed 
to block access to port 443, but you simply forgot to include it.



Please post full configuration if you're not sure what to look for. I 
have no idea what 'suricata' is though ;)


Kind regards,
     Tom

On 13-07-2021 01:33, James Moe via Fail2ban-users wrote:

fail2ban v1.0.1.1
opensuse tumbleweed, linux v5.13.0


Messages as shown below occasionally are in the log. It does not make 
much

sense. If the IP is banned, how can it be detected in the target log?


2021-07-11 16:15:31,136 fail2ban.filter         [10710]: INFO    
[suricata-1]

Found 65.205.231.167 - 2021-07-11 16:15:31


2021-07-11 16:15:31,357 fail2ban.actions        [10710]: WARNING 
[suricata-1]

65.205.231.167 already banned





_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to