LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-21-2019, 09:40 AM   #1
switcher1
Member
 
Registered: Jul 2006
Posts: 32

Rep: Reputation: 0
fail2ban- ban's IP but continues to show new log entries for IP b4 expire time


I am using fail2ban for apache log. An ip showed up as banned (fail2ban-client status jailx & ipset list), however in the fail2ban log I am getting these messages (below) that keep showing the ip with new entries and saying "already banned".

If the IP is banned why is the log still showing new attempts after it is banned? This all happens in about 60 seconds, and the ban timer is set for 1 day.

The ipset list shows the IP with a "timeout" value of 62400.

Also, the /var/log/httpd/access_log shows 103 entries for this ip from 2:51;32am to 2:52.25am. The fail2ban log shows the IP first banned at 2:51:33.

Any ideas will be appreciated.

Log sample below: (some "found" entries deleted to reduce length)

2019-02-21 02:51:33,631 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:33
2019-02-21 02:51:33,865 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:33
2019-02-21 02:51:33,992 fail2ban.actions [16047]: NOTICE [fail2ban-filter] Ban 123.456.789.012
2019-02-21 02:51:34,098 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:34
2019-02-21 02:51:34,443 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:34
2019-02-21 02:51:38,601 fail2ban.actions [16047]: NOTICE [fail2ban-filter] 123.456.789.012 already banned
2019-02-21 02:51:38,850 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:38
2019-02-21 02:51:39,244 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:39
2019-02-21 02:51:40,003 fail2ban.actions [16047]: NOTICE [fail2ban-filter] 123.456.789.012 already banned
2019-02-21 02:51:40,299 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:40
2019-02-21 02:51:40,583 fail2ban.filter [16047]: INFO [fail2ban-filter] Found 123.456.789.012 - 2019-02-21 02:51:40

Last edited by switcher1; 02-21-2019 at 09:47 AM. Reason: addl info
 
Old 02-21-2019, 03:01 PM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
I'm just guessing, but since all of these connections were in the same 15 seconds, is it possible they were all active at the same time, prior to the ban?
Therefore, there would be Found entries reflecting the multiple connections...

Do the Found entries continue after that 15-60 second time period?
 
1 members found this post helpful.
Old 02-21-2019, 05:28 PM   #3
switcher1
Member
 
Registered: Jul 2006
Posts: 32

Original Poster
Rep: Reputation: 0
The last found (and last entry for this IP) is at 2:52:25. In fact the last three entries are "already banned", "found", "found" and then no more entries. Prior to that the "already banned" was always followed by 4 more "found" before "already banned" appeared again.

My maxretry is set to 4.

I think you are probably correct, and it was a timing issue because it all happened so fast. I have tested since I put up this post and discovered that after 4 failed attempts (one at a time and slowly), the IP is banned and the server does not even respond after that.

I had not thought about multiple connections at the same time. I am sure that is what happened. There were multiple hits per second sometimes in the log.

I appreciate your reply. Very helpful to me. I am more comfortable that it is working properly.
 
Old 02-21-2019, 06:45 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
I'm happy to have been of help. You could check the http log to see if, in fact there were multiple connections.

You may mark the thread SOLVED using the Thread Tools, if you want.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban: How to ban IP connect port 22 sieuvocmaytinh Linux - Server 2 08-31-2012 07:57 AM
How to config fail2ban send email to gmail when it ban IP sieuvocmaytinh Linux - Server 3 08-15-2012 11:14 PM
[SOLVED] fail2ban does not ban, maybe my regex is wrong? JeanC Linux - Server 2 03-17-2011 11:01 AM
[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ? MET Linux - Security 10 05-27-2010 05:08 AM
[SOLVED] Configuring Conky to read log file entries - apache + fail2ban djsmiley2k Linux - Desktop 1 04-26-2010 05:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration