Comments (32)
yarikoptic
commented on July 23, 2024
letscorpvella [email protected] wrote:
Hi There,
When adding two are more jails with the same filter and have a
different bantime and findtime, the jails are started perfectly and
working fine. But any one of the enabled jail with same filter will
block the IP address. And other jails are not working properly.While verifying the status of each jails, any one of the jail have
"Currently failed" and "Total failed" list and all other jails status
having zero in "Currently failed" and "Total failed" list.My jail.conf configuration are as follows,
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@localhost]
logpath = /var/log/secure
bantime = 600
findtime = 300
maxretry = 3[ssh-frequent]
enabled = true
filter = sshd
action = iptables-allports[name=SSH-FREQUENT, protocol=all]
sendmail-whois[name=SSH-FREQUENT, dest=root, sender=fail2ban@localhost]
logpath = /var/log/secure
bantime = 86400
findtime = 604800
maxretry = 20Is this above jail configuration have any problem?. If yes, please
suggest configuration to block the IP with different bantime and
findtime for same filter and jail.Regards,
Vella
Reply to this email directly or view it on GitHub:
#57
What is the version?
Sent from a phone which beats iPhone.
from fail2ban.
letscorp
commented on July 23, 2024
Fail2ban version: Fail2Ban v0.8.6
Python version: Python 2.6.8
from fail2ban.
yarikoptic
commented on July 23, 2024
ah... I guess I see it now -- so the matching log entry does not get processed by both jails but (randomly) only by one of them, right?
So such "fortification" setups with extended banning of the consistent abusers there was a suggestion to use "recidive" jail which would monitor fail2ban.log itself... see #19 for more details and warning (it must not be enabled whenever loglevel is DEBUG).
from fail2ban.
letscorp
commented on July 23, 2024
Yes. You are correct. But sometimes both the jails working fine without any issues with the above jail configuration.
Any way I will try to use fail2ban.log for frequent brute force attack. Thanks for your kind information.
from fail2ban.
yetyongjin
commented on July 23, 2024
My fail2ban verison : 0.8.10
My python version : 2.7
Have the same issue. Especially after reboot.
from fail2ban.
grooverdan
commented on July 23, 2024
@yetyongjin please include jail configuration and your fail2ban log illustrating the problem.
from fail2ban.
yetyongjin
commented on July 23, 2024
my jail.conf:
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 300 findtime = 300 maxretry = 10 backend = auto usedns = warn [asterisk-udp] enabled = true filter = asterisk action = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp] logpath = /log/syslog maxretry = 2 [asterisk-tcp] enabled = true filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] logpath = /log/syslog maxretry = 2
filter asterisk
[INCLUDES]
before = common.conf
[Definition]
failregex = UCM.* SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?//.+?".*
UCM.* SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?//.+?".*
UCM.* SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?//.+?".*
UCM.* SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?//.+?".*
from fail2ban.
grooverdan
commented on July 23, 2024
and fail2ban.log?
Also OT - we've improved the asterisk filters a lot https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf
from fail2ban.
yetyongjin
commented on July 23, 2024
This is log when both jail work fine:
2013-10-30 13:15:34,785 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:34,787 fail2ban.filter : DEBUG Log rotation detected for /log/syslog
2013-10-30 13:15:34,789 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,791 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,794 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,795 fail2ban.filter : DEBUG Processing line with time:1383110134.0 and ip:192.168.124.18
2013-10-30 13:15:34,797 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:34,798 fail2ban.filter : DEBUG Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 192.168.124.18:1
2013-10-30 13:15:34,800 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:34,801 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 3 hits
2013-10-30 13:15:34,828 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:34,830 fail2ban.filter : DEBUG Log rotation detected for /log/syslog
2013-10-30 13:15:34,832 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,833 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,836 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:34,838 fail2ban.filter : DEBUG Processing line with time:1383110134.0 and ip:192.168.124.18
2013-10-30 13:15:34,839 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:34,841 fail2ban.filter : DEBUG Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 192.168.124.18:1
2013-10-30 13:15:34,842 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:34,844 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 3 hits
2013-10-30 13:15:36,805 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:36,808 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:36,810 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:36,811 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 4 hits
2013-10-30 13:15:36,847 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:36,850 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:36,852 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:36,854 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:36,856 fail2ban.filter : DEBUG Processing line with time:1383110136.0 and ip:192.168.124.18
2013-10-30 13:15:36,857 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:36,859 fail2ban.filter : DEBUG Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 192.168.124.18:2
2013-10-30 13:15:36,860 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:36,862 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 6 hits
2013-10-30 13:15:36,952 fail2ban.actions: WARNING [asterisk-tcp] Ban 192.168.124.18
2013-10-30 13:15:36,953 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-tcp[ \t]'
2013-10-30 13:15:36,985 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-tcp[ \t]' returned successfully
2013-10-30 13:15:36,988 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-tcp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable
2013-10-30 13:15:37,006 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-tcp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable returned successfully
2013-10-30 13:15:39,816 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:39,819 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,822 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,824 fail2ban.filter : DEBUG Processing line with time:1383110136.0 and ip:192.168.124.18
2013-10-30 13:15:39,825 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:39,827 fail2ban.filter : DEBUG Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 192.168.124.18:2
2013-10-30 13:15:39,828 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,830 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,832 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,834 fail2ban.filter : DEBUG Processing line with time:1383110139.0 and ip:192.168.124.18
2013-10-30 13:15:39,835 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:39,837 fail2ban.filter : DEBUG Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 192.168.124.18:3
2013-10-30 13:15:39,839 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:39,840 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 9 hits
2013-10-30 13:15:39,866 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:15:39,868 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,870 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,873 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:15:39,875 fail2ban.filter : DEBUG Processing line with time:1383110139.0 and ip:192.168.124.18
2013-10-30 13:15:39,876 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:15:39,877 fail2ban.filter : DEBUG Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 192.168.124.18:1
2013-10-30 13:15:39,879 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:15:39,881 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 9 hits
2013-10-30 13:15:39,899 fail2ban.actions: WARNING [asterisk-udp] Ban 192.168.124.18
2013-10-30 13:15:39,900 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-udp[ \t]'
2013-10-30 13:15:39,932 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-udp[ \t]' returned successfully
2013-10-30 13:15:39,934 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-udp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable
2013-10-30 13:15:39,953 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-udp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable returned successfully
from fail2ban.
yetyongjin
commented on July 23, 2024
This is log took after system reboot. only one jail named asterisk-udp was work:
2013-10-30 13:22:29,033 fail2ban.server : INFO Changed logging target to /tmp/fail2ban for Fail2ban v0.8.10
2013-10-30 13:22:29,039 fail2ban.comm : DEBUG Command: ['add', 'asterisk-udp', 'auto']
2013-10-30 13:22:29,042 fail2ban.jail : INFO Creating new jail 'asterisk-udp'
2013-10-30 13:22:29,047 fail2ban.jail : DEBUG Backend 'pyinotify' failed to initialize due to No module named pyinotify
2013-10-30 13:22:29,050 fail2ban.jail : DEBUG Backend 'gamin' failed to initialize due to No module named gamin
2013-10-30 13:22:29,051 fail2ban.jail : INFO Jail 'asterisk-udp' uses poller
2013-10-30 13:22:29,257 fail2ban.filter : DEBUG Setting usedns = warn for FilterPoll(Jail('asterisk-udp'))
2013-10-30 13:22:29,370 fail2ban.filter : DEBUG Created FilterPoll(Jail('asterisk-udp'))
2013-10-30 13:22:29,371 fail2ban.filter : DEBUG Created FilterPoll
2013-10-30 13:22:29,372 fail2ban.jail : INFO Initiated 'polling' backend
2013-10-30 13:22:29,379 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'usedns', 'warn']
2013-10-30 13:22:29,381 fail2ban.filter : DEBUG Setting usedns = warn for FilterPoll(Jail('asterisk-udp'))
2013-10-30 13:22:29,387 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addlogpath', '/log/syslog']
2013-10-30 13:22:29,390 fail2ban.filter : INFO Added logfile = /log/syslog
2013-10-30 13:22:29,398 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'maxretry', '2']
2013-10-30 13:22:29,399 fail2ban.filter : INFO Set maxRetry = 2
2013-10-30 13:22:29,405 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addignoreip', '127.0.0.1/8']
2013-10-30 13:22:29,407 fail2ban.filter : DEBUG Add 127.0.0.1/8 to ignore list
2013-10-30 13:22:29,413 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'findtime', '300']
2013-10-30 13:22:29,415 fail2ban.filter : INFO Set findtime = 300
2013-10-30 13:22:29,421 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'bantime', '300']
2013-10-30 13:22:29,422 fail2ban.actions: INFO Set banTime = 300
2013-10-30 13:22:29,429 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="FailedACL".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,448 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="InvalidAccountID".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,467 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="ChallengeResponseFailed".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,488 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="InvalidPassword".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,509 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'addaction', 'iptables-multiport']
2013-10-30 13:22:29,511 fail2ban.actions.action: DEBUG Created Action
2013-10-30 13:22:29,517 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'actionban', 'iptables-multiport', 'iptables -I fail2ban- 1 -s -j ']
2013-10-30 13:22:29,519 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban- 1 -s -j
2013-10-30 13:22:29,525 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'actionstop', 'iptables-multiport', 'iptables -D -p -m multiport --dports -j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
2013-10-30 13:22:29,527 fail2ban.actions.action: DEBUG Set actionStop = iptables -D -p -m multiport --dports -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2013-10-30 13:22:29,534 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I -p -m multiport --dports -j fail2ban-']
2013-10-30 13:22:29,535 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I -p -m multiport --dports -j fail2ban-
2013-10-30 13:22:29,542 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban- -s -j ']
2013-10-30 13:22:29,543 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban- -s -j
2013-10-30 13:22:29,551 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'actioncheck', 'iptables-multiport', "iptables -n -L | grep -q 'fail2ban-[ \t]'"]
2013-10-30 13:22:29,552 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L | grep -q 'fail2ban-[ \t]'
2013-10-30 13:22:29,559 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'setcinfo', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
2013-10-30 13:22:29,565 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'setcinfo', 'iptables-multiport', 'protocol', 'udp']
2013-10-30 13:22:29,572 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'setcinfo', 'iptables-multiport', 'name', 'asterisk-udp']
2013-10-30 13:22:29,579 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'setcinfo', 'iptables-multiport', 'chain', 'INPUT']
2013-10-30 13:22:29,586 fail2ban.comm : DEBUG Command: ['set', 'asterisk-udp', 'setcinfo', 'iptables-multiport', 'port', '5060']
2013-10-30 13:22:29,592 fail2ban.comm : DEBUG Command: ['add', 'asterisk-tcp', 'auto']
2013-10-30 13:22:29,594 fail2ban.jail : INFO Creating new jail 'asterisk-tcp'
2013-10-30 13:22:29,596 fail2ban.jail : DEBUG Backend 'pyinotify' failed to initialize due to No module named pyinotify
2013-10-30 13:22:29,598 fail2ban.jail : DEBUG Backend 'gamin' failed to initialize due to No module named gamin
2013-10-30 13:22:29,599 fail2ban.jail : INFO Jail 'asterisk-tcp' uses poller
2013-10-30 13:22:29,601 fail2ban.filter : DEBUG Setting usedns = warn for FilterPoll(Jail('asterisk-tcp'))
2013-10-30 13:22:29,606 fail2ban.filter : DEBUG Created FilterPoll(Jail('asterisk-tcp'))
2013-10-30 13:22:29,607 fail2ban.filter : DEBUG Created FilterPoll
2013-10-30 13:22:29,608 fail2ban.jail : INFO Initiated 'polling' backend
2013-10-30 13:22:29,614 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'usedns', 'warn']
2013-10-30 13:22:29,616 fail2ban.filter : DEBUG Setting usedns = warn for FilterPoll(Jail('asterisk-tcp'))
2013-10-30 13:22:29,622 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addlogpath', '/log/syslog']
2013-10-30 13:22:29,625 fail2ban.filter : INFO Added logfile = /log/syslog
2013-10-30 13:22:29,631 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'maxretry', '2']
2013-10-30 13:22:29,633 fail2ban.filter : INFO Set maxRetry = 2
2013-10-30 13:22:29,639 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addignoreip', '127.0.0.1/8']
2013-10-30 13:22:29,640 fail2ban.filter : DEBUG Add 127.0.0.1/8 to ignore list
2013-10-30 13:22:29,647 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'findtime', '300']
2013-10-30 13:22:29,649 fail2ban.filter : INFO Set findtime = 300
2013-10-30 13:22:29,654 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'bantime', '300']
2013-10-30 13:22:29,656 fail2ban.actions: INFO Set banTime = 300
2013-10-30 13:22:29,662 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="FailedACL".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,669 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="InvalidAccountID".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,678 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="ChallengeResponseFailed".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,686 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addfailregex', 'UCM.* SECURITY.* SecurityEvent="InvalidPassword".RemoteAddress=".+?/.+?//.+?".']
2013-10-30 13:22:29,695 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'addaction', 'iptables-multiport']
2013-10-30 13:22:29,698 fail2ban.actions.action: DEBUG Created Action
2013-10-30 13:22:29,704 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'actionban', 'iptables-multiport', 'iptables -I fail2ban- 1 -s -j ']
2013-10-30 13:22:29,705 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban- 1 -s -j
2013-10-30 13:22:29,712 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'actionstop', 'iptables-multiport', 'iptables -D -p -m multiport --dports -j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
2013-10-30 13:22:29,713 fail2ban.actions.action: DEBUG Set actionStop = iptables -D -p -m multiport --dports -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2013-10-30 13:22:29,720 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I -p -m multiport --dports -j fail2ban-']
2013-10-30 13:22:29,722 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I -p -m multiport --dports -j fail2ban-
2013-10-30 13:22:29,729 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban- -s -j ']
2013-10-30 13:22:29,730 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban- -s -j
2013-10-30 13:22:29,736 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'actioncheck', 'iptables-multiport', "iptables -n -L | grep -q 'fail2ban-[ \t]'"]
2013-10-30 13:22:29,738 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L | grep -q 'fail2ban-[ \t]'
2013-10-30 13:22:29,744 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'setcinfo', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
2013-10-30 13:22:29,751 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
2013-10-30 13:22:29,758 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'setcinfo', 'iptables-multiport', 'name', 'asterisk-tcp']
2013-10-30 13:22:29,765 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'setcinfo', 'iptables-multiport', 'chain', 'INPUT']
2013-10-30 13:22:29,771 fail2ban.comm : DEBUG Command: ['set', 'asterisk-tcp', 'setcinfo', 'iptables-multiport', 'port', '5060,5061']
2013-10-30 13:22:29,778 fail2ban.comm : DEBUG Command: ['start', 'asterisk-udp']
2013-10-30 13:22:29,781 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:22:29,798 fail2ban.jail : INFO Jail 'asterisk-udp' started
2013-10-30 13:22:29,804 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:29,796 fail2ban.actions.action: DEBUG iptables -N fail2ban-asterisk-udp
iptables -A fail2ban-asterisk-udp -j RETURN
iptables -I INPUT -p udp -m multiport --dports 5060 -j fail2ban-asterisk-udp
2013-10-30 13:22:29,814 fail2ban.comm : DEBUG Command: ['start', 'asterisk-tcp']
2013-10-30 13:22:29,806 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,181 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:22:30,183 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,185 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,194 fail2ban.actions.action: DEBUG iptables -N fail2ban-asterisk-tcp
iptables -A fail2ban-asterisk-tcp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports 5060,5061 -j fail2ban-asterisk-tcp
2013-10-30 13:22:30,195 fail2ban.jail : INFO Jail 'asterisk-tcp' started
2013-10-30 13:22:30,420 fail2ban.actions.action: DEBUG iptables -N fail2ban-asterisk-udp
iptables -A fail2ban-asterisk-udp -j RETURN
iptables -I INPUT -p udp -m multiport --dports 5060 -j fail2ban-asterisk-udp returned successfully
2013-10-30 13:22:30,607 fail2ban.actions.action: DEBUG iptables -N fail2ban-asterisk-tcp
iptables -A fail2ban-asterisk-tcp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports 5060,5061 -j fail2ban-asterisk-tcp returned successfully
2013-10-30 13:22:30,623 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,625 fail2ban.filter : DEBUG Processing line with time:1383110134.0 and ip:192.168.124.18
2013-10-30 13:22:30,637 fail2ban.filter : DEBUG Ignore line since time 1383110134.0 < 1383110550.64 - 300
2013-10-30 13:22:30,639 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,641 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,643 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,645 fail2ban.filter : DEBUG Processing line with time:1383110136.0 and ip:192.168.124.18
2013-10-30 13:22:30,646 fail2ban.filter : DEBUG Ignore line since time 1383110136.0 < 1383110550.65 - 300
2013-10-30 13:22:30,655 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,657 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,667 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:22:30,669 fail2ban.filter : DEBUG Processing line with time:1383110139.0 and ip:192.168.124.18
2013-10-30 13:22:30,670 fail2ban.filter : DEBUG Ignore line since time 1383110139.0 < 1383110550.67 - 300
2013-10-30 13:22:33,635 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:33,643 fail2ban.comm : DEBUG Command: ['status']
2013-10-30 13:22:37,041 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:37,042 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:22:37,044 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:22:37,046 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 3002 hits
2013-10-30 13:23:16,092 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:23:16,094 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:23:16,096 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:23:16,099 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:23:16,101 fail2ban.filter : DEBUG Processing line with time:1383110595.0 and ip:192.168.124.18
2013-10-30 13:23:16,102 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:23:16,103 fail2ban.filter : DEBUG Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 192.168.124.18:1
2013-10-30 13:23:16,105 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:23:16,107 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 3005 hits
2013-10-30 13:23:19,112 fail2ban.filter : DEBUG /log/syslog has been modified
2013-10-30 13:23:19,114 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:23:19,116 fail2ban.filter.datedetector: DEBUG Matched time template MONTH Day Hour:Minute:Second
2013-10-30 13:23:19,118 fail2ban.filter.datedetector: DEBUG Got time using template MONTH Day Hour:Minute:Second
2013-10-30 13:23:19,120 fail2ban.filter : DEBUG Processing line with time:1383110598.0 and ip:192.168.124.18
2013-10-30 13:23:19,122 fail2ban.filter : DEBUG Found 192.168.124.18
2013-10-30 13:23:19,123 fail2ban.filter : DEBUG Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 192.168.124.18:2
2013-10-30 13:23:19,125 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-10-30 13:23:19,126 fail2ban.filter.datedetector: DEBUG Winning template: MONTH Day Hour:Minute:Second with 3008 hits
2013-10-30 13:23:19,504 fail2ban.actions: WARNING [asterisk-udp] Ban 192.168.124.18
2013-10-30 13:23:19,506 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-udp[ \t]'
2013-10-30 13:23:19,537 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-asterisk-udp[ \t]' returned successfully
2013-10-30 13:23:19,540 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-udp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable
2013-10-30 13:23:19,581 fail2ban.actions.action: DEBUG iptables -I fail2ban-asterisk-udp 1 -s 192.168.124.18 -j REJECT --reject-with icmp-port-unreachable returned successfully
from fail2ban.
yarikoptic
commented on July 23, 2024
uff -- I guess we should try to replicate it with 0.8.10 or before and then see if current master still has it: note that 'polling' backend was chosen and we had fixes in polling backend (use more than just mtime for tracking if change occurred) so it might have been addressed already
from fail2ban.
grooverdan
commented on July 23, 2024
ok. Can I assume you're looking at this?
from fail2ban.
vnanobashvili
commented on July 23, 2024
Investigating fail2ban.log issue - the file took 100% of disk space on the host and fail2ban service along with other logging (httpd access/errors ) have stopped working. The file took almost 18GB out of 20GB allocated to the VM.
fail2ban.log is showing a lot of log records for the last two days related to fail2ban.datedetector in DEBUG mode. Might be related to daylight saving issue.
from fail2ban.
vnanobashvili
commented on July 23, 2024
Head of the fail2ban.log file is showing that the issue began at around daylight savings time change:
2017-03-12 03:35:01,802 fail2ban.server [4219]: INFO rollover performed on /var/log/fail2ban.log
2017-03-12 03:35:02,147 fail2ban.filterpoll [4219]: DEBUG /var/log/httpd/access_log has been modified
2017-03-12 03:35:02,148 fail2ban.datedetector [4219]: DEBUG Sorting the template list
2017-03-12 03:35:02,148 fail2ban.datedetector [4219]: DEBUG Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 3440 hits
2017-03-12 04:00:12,006 fail2ban.filterpoll [4219]: DEBUG /var/log/httpd/access_log has been modified
2017-03-12 04:00:12,007 fail2ban.filter [4219]: INFO Log rotation detected for /var/log/httpd/access_log
2017-03-12 04:00:12,008 fail2ban.datedetector [4219]: DEBUG Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2017-03-12 04:00:12,009 fail2ban.datedetector [4219]: DEBUG Got time 1489291212.000000 for "u'12/Mar/2017:04:00:12 +0000'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2017-03-12 04:00:12,010 fail2ban.datedetector [4219]: DEBUG Sorting the template list
2017-03-12 04:00:12,010 fail2ban.datedetector [4219]: DEBUG Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 3441 hits
from fail2ban.
vnanobashvili
commented on July 23, 2024
Any ideas what could have caused the issue? I believe something related to the time - although the VM is running time zone in UTC. Any help will be appreciated. Can I delete the fail2ban.log file and will it be recreated if I restart fail2ban service or the VM itself?
from fail2ban.
sebres
commented on July 23, 2024
Head of the fail2ban.log file is showing that the issue began
I don't see any issue here (that all is normal if it running in debug level)
I hope you've not the recidive jail on (because it's very bad idea to do this together with debug level).
Can I delete the fail2ban.log file
yes
And switch log level to INFO.
DEBUG is a log level that should be used temporary only.
from fail2ban.
vnanobashvili
commented on July 23, 2024
Cool, thanks. What is a recidive jail?
from fail2ban.
sebres
commented on July 23, 2024
What is a recidive jail?
https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf#L743
from fail2ban.
vnanobashvili
commented on July 23, 2024
Got it. Basically I am using a separate jail for persistent abusers - which btw is suing the same action expression only of course in a different action file. Basically that persistent jail of course scans fail2ban.log for repeated bans. Would this be a problem, or could have caused the problem?
from fail2ban.
sebres
commented on July 23, 2024
As I already wrote recidive (so scanning of fail2ban.log) and debug level together is very bad idea.
No matter which name your recidive filter/jail/action have.
The scanning of fail2ban.log + debug is evil.
from fail2ban.
vnanobashvili
commented on July 23, 2024
Excellent! thanks for you help Sebres, that was really helpful and informative.
from fail2ban.
vnanobashvili
commented on July 23, 2024
Anybody knows how to put multiple IP checks in a filter file?
from fail2ban.
sebres
commented on July 23, 2024
put multiple IP checks in a filter file?
If you meant multiple IPs in the single line of the log-file - it is currently impossible (without hacking).
But if you've there a hostname (dns) that represents multiple IPs, the <HOST> will match it and all its IPs will be blocked out of the box (if usedns = yes or usedns = warn).
This issue is a wrong place to do that.
And please be more concrete next time (to also understand the people what you are asking). e. g. provide some example resp. excerpt of such log-file.
from fail2ban.
vnanobashvili
commented on July 23, 2024
what I asked is the following,:
When there is a proxy or proxy chain and you want to ban the last IP address from the chain:
If you put X-Forwarded-For - Apache log record would be appended by that header in the end
client IP, proxy1IP, proxy2IP
If I want to ban/unban the last IP address - proxy2IP - any idea how to do that? do I put multiple expressions in the filter? Any suggestions...
from fail2ban.
vnanobashvili
commented on July 23, 2024
multiple <HOST> expressions I meant
from fail2ban.
sebres
commented on July 23, 2024
If I want to ban/unban the last IP address
I told you - provide an example.
I told you - wrong place here (make new issue, resp. seek for helps anyplace else (stackoverflow or similar).
Nevertheless, fail2ban-regex is your friend by building of the filter rules.
fail2ban-regex -v '2017-01-01 10:00:00 log line with 3 IPs: 1.2.3.4, 2.3.4.5, 3.4.5.6' '^\s*log line with 3 IPs: \S+, \S+, <HOST>$'
...
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^\s*log line with 3 IPs: \S+, \S+, <HOST>$
| 3.4.5.6 Sun Jan 01 10:00:00 2017
`-
...multiple
<HOST>expressions
As already said is not possible (<HOST> is a capture, only one capture allowed, only one success regex match per line possible, etc.) But as if I understand correctly you need only last IP. See example above.
from fail2ban.
m2acgi
commented on July 23, 2024
Has this issue been fixed?
from fail2ban.
vnanobashvili
commented on July 23, 2024
Strange, you are following up on a 5 year old issue, which is not relevant
for a long time now... You can close whatever you want to close. I don't
even recall what it was about...
Regards,
Vlad Nanobashvili,
MBA | CISSP-ISSAP | CCSP | CISM | CCSK | P.Eng
[image: Inline image 1]
…On Wed, Jul 13, 2022 at 7:31 AM m2acgi ***@***.***> wrote:
Has this issue been fixed?
—
Reply to this email directly, view it on GitHub
<#57 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF3UOW4PTV4RYRAN4I6WLMTVT2SJ3ANCNFSM4AAGQRIA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from fail2ban.
sebres
commented on July 23, 2024
Has this issue been fixed?
@m2acgi What is your issue exactly? The subject says "Jails are not working properly while adding same filter into two jails".
Fact is you can have hundred jails with the same filter (the filter only describes the monitoring rules like failregex etc).
I don't know any reason where the filter of one jail would somehow bother another jail (also don't think it was ever true for some older version). So there was simply nothing to fix.
However if it is about such recidive jails (like in examples above, so jails monitoring the same log or journal) - you don't need second jails like that at all - newer version (>= 0.11) has a new feature bantime.increment, which can help to eliminate recidive evildoers (ban them for longer time and faster by repeated attempts).
One possible issue you can have probably would be the large findtime (in example above findtime = 604800 is 7 days). Namely with the memory (and possibly the performance) due to large list of failures - fail2ban could cumulate a lot of failures in 7 days, so the list can be really huge.
For a similar discussion about large findtime window this see #2118 or ##2911 (comment)
For another possible reasons why something doesn't work please see the FAQ in https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works
from fail2ban.
m2acgi
commented on July 23, 2024
@sebres Thank you for your reply.
Sorry for my poor English. My jail conf like this:
[my-app]
enabled = true
port = 1234
logpath = /root/my-app/logs/my-app-out.log
bantime = 365d
findtime = 5m
maxretry = 3
The hackers try several times with different IP then they know the value of findtime and maxretry, then the hackers can use another IP to excute brute-force attacks: Twice every 5 minutes, or 3 times every 6 minutes.
As I've set very long ban time, so bantime.increment is not an good option.
What I want exactly to do is to create mutile jails, monitor the same one log, like this:
[my-app1]
enabled = true
port = 1234
filter = my-app
logpath = /root/my-app/logs/my-app-out.log
bantime = 365d
findtime = 5m
maxretry = 3
[my-app2]
enabled = true
port = 1234
filter = my-app
logpath = /root/my-app/logs/my-app-out.log
bantime = 365d
findtime = 24h
maxretry = 10
That is (bantime 365d, findtime 5m, maxretry 3) OR (bantime 365d, findtime 24h, maxretry 10), then ban.
Is this supported by fail2ban ?
Thanks.
from fail2ban.
sebres
commented on July 23, 2024
Twice every 5 minutes, or 3 times every 6 minutes.
Well, you could simply increase the findtime and maxrerty to get the same burst as the first jail, so would not need the 2nd jail.
As I've set very long ban time, so bantime.increment is not an good option.
You don't need such long ban times (something like few weeks or months is fully enough)... But by bantime.increment you can control the distance to further bans with bantime.factor, bantime.formula orbantime.multipliers.
Also setting bantime.rndtime can help to confuse "smart" bots to estimate a bantime.
But OK.
Is this supported by fail2ban ?
Sure. The jails are totally independent, so there is no reason why 2nd jail must ignore some of 10 attempts in 24h (also if they are noticed by 1st jail too).
The only issue I can imagine if the banning action doesn't distinguish the chains by the rules, so creates the same rule for both jails, and either the net-filter don't allow duplicates (you'd see the error in fail2ban.log in that case after 2nd ban) or removes both rules by unban of the earliest ticket (so the attacker is able to connect during active long ban). Example of such action can be shorewall e. g. #2031 or route e. g. #2373.
Another issue with banning action may be your long bantime, for instance some actions, like iptables-ipset previously used own expiration and the value could be too large, e. g. ipset doesn't allow timeout larger than 2147483 which means 24d (this also would produce an error in fail2ban.log), see #2703 where it was fixed for iptables-ipset action.
Anyway until you don't provide more data (what exactly "doesn't work" mean in your case) we'd be unable to help you.
Doesn't second jail find the attempts from some IP (no [my-app2] Found in fail2ban.log)?
Doesn't second jail ban the IP after 10 findings in 24h (no [my-app2] Ban in fail2ban.log)?
Ban is there, but evildoer is still able to connect?
Etc.
I already show you the link to our FAQ where the reasons for all that reasons are pretty good described - https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works
Please check all that firstly and if you mean being affected by some another problem, provide the excerpt of my-app-out.log (illustrating the issue for some IP), fail2ban.log (with some errors, or grep by IP/errors) or dump of fail2ban-client -d that show the whole configuration for both jails.
And last but not least, stupid question: is the 2nd jail really active - did you restart/reload the fail2ban after you added the 2nd jail to jail.local?
from fail2ban.
m2acgi
commented on July 23, 2024
👍 Thank you very much!
from fail2ban.
Related Issues (20)
- [BR]: installing fail2ban on ubuntu 24.04 with apt-get showing errors and is not starting HOT 2
- [BR]: ERROR No module named 'asynchat' on Ubuntu 24.04 HOT 7
- [FR]: Wordpress Fail2ban filter not processing authentication failures on Debian bookworm HOT 7
- [BR]:The jail set in the configuration file is not loaded HOT 6
- >Jail not being loaded issue HOT 2
- Failed to execute ban HOT 8
- [RFE]: Extend ignoreip to cater for dynamic IP scenarios by resolving FDNs assigned HOT 1
- [BR]: Can't start fail2ban service on Ubuntu 24.04 HOT 1
- [BR]: You can use root commands HOT 2
- [BR]: Python 3.12 shows DeprecationWarning about use of os.fork() HOT 1
- [FR]: SNMPv3 filters for Unknown User, Bad AUTH password and PRIV password, multiline, mutiple filters HOT 4
- [BR]: Insufficient patching for systemd/Debian HOT 2
- How to protect Nginx container by Fail2Ban? HOT 1
- file permissions HOT 4
- Unable to Configure Custom Log Parsing in fail2ban for Calibre-Web HOT 2
- [BR]: ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running HOT 1
- apache-overflows filter don`t catch on AH10244: invalid URI path HOT 2
- Fail2Ban docker works only on startup for Ms Sql Log, then stops monitoring log file changes HOT 1
- [BR]: filter regex looks right, but URLs starting with two slashes not matched, although pattern for that HOT 7
- [FR]: CVE-2024-6387 aka RegreSSHion filter? HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.