On Sun, 28 Jun 2015, William Lewis wrote: > Hello:
> Problem #1: > I just updated my Fail2Ban to version: 0.8.13.-1-nd12.04+1 from the Neuro > Dabian repository and now I see that when Fail2Ban detects a match to one > of my Jails, fail2ban erroneously drops the last digit off the offending > IP address and thus bans the wrong ip address. > Here is an example: Here is a line from my log file: > Sun Jun 28 10:53:12 2015 87.221.129.170:56512 - MBOX (root) bad login > But fail2ban reports banning IP address 87.221.129.17 (Note the missing > "0") Fail2ban should have banned 87.221.129.170. > When I look at my firewall (I use SHOREWALL) I see these lines. > -A dynamic > -s 201.52.10.18/32 -j reject > -A dynamic -s 95.180.179.21/32 -j reject > -A dynamic -s 87.221.129.17/32 -j reject > -A dynamic -s 182.209.52.14/32 -j reject > Every last one is missing the last digit, so the wrong ip is banned. Here > are the correct ip addresses as seen in my log file. > Sun Jun 28 10:46:35 2015 201.52.10.189:39679 - MBOX (root) bad login > Sun Jun 28 10:42:04 2015 95.180.179.218:53539 - MBOX (root) bad login > Sun Jun 28 10:47:35 2015 87.221.129.170:53538 - MBOX (root) bad login > Sun Jun 28 10:49:34 2015 182.209.52.142:2935 - MBOX (support) bad login my wild guess (since you didn't share configs) is that you are using some custom filter which has wrong regex eating up the last digit > Problem #2: I have my config in the jail set to email with with the WHOIS > as well as the offending lines in the log file (using: action = > %(action_mwl)s) > Yet when I get the email, it gives me the WHOIS, but no log lines are > included. > I am thinking it may not contain the actual offending logbook lines > because problem #1 above is capturing the incorrect IP address, thus there > is no match to report in the email. Just a guess though. Problem #1 would > have to be corrected, then see if problem #2 remains or is also fixed. could be > Problem #3: > I also noted that my previous version of fail2ban used "DROP" in > shorewall, which is what I prefer. The new update now uses "reject" > instead. Is there a way to change this in a config somewhere back to DROP? look into config/action.d/iptables-blocktype.conf -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
