Hi James
Here is one possibility:
Sometimes, if fail2ban is very busy it can take a while to actually run the
"ban" command. So even though the program thinks it's banned the IP, it's
still in the queue to do it.
During that time, the IP address isn't banned - so it can still attack you
and fail2ban can then find it again. But fail2ban will say it's been banned.
Once the ban command has been executed, it won't be able to attack you any
more so it won't be "found" again and again.
Am I making sense?
But I've noticed that these IP addresses are still being found several
minutes later. That indicates that it's not what I'm saying. When it's just
"busy" like I said above, you only normally find extra log entries for a
minute or so.
So, what else could it be? It could be that the attacker is using ports
that weren't banned by fail2ban - your rule tells it to block the IP
address from using 3 different ports (think of ports as "access points" to
particular programs). So those IP addresses might be able to use other
methods of attacking you.
Is this happening to every IP address that's banned? Or just a few?
Are you comfortable running commands in a terminal window?
Could you perhaps run this command and paste in the output:
grep 200.29.108.214 /usr/local/bin/assp2/logs/maillog.txt
This will search your mail log just for the entries from that specific IP
address, so we can see what it's doing to you.
There might be lots of entries - if you want, you can just include log
entries from 24 August. Obviously remove any private information.
This will tell us whether there are different ports or types of attack
happening.
Also, could you do a command to search your fail2ban logs so we can see
exactly how many times that IP address has been found?
Here's the command:
grep 200.29.108.214 /var/log/fail2ban.log
(Unless your fail2ban log is in a different place).
It might be easy to find what's happened or it might be difficult:
normally, annoying problems like this are caused by a tiny mistake in a
.conf file that takes ages to find :-)
Tony
On Fri, 24 Aug 2018 at 19:50, James Moe via Fail2ban-users <
[email protected]> wrote:
>
> fail2ban v0.10.3
> linux 4.12.14-lp150.12.7-default x86_64
>
> I do not understand what the entries below are telling me.
> If the IP is banned, how is it found in the logs?
>
>
> ----[ log entries ]----
> 2018-08-24 11:08:31,129 fail2ban.filter [25601]: INFO [assp]
> Found 200.29.108.214 - 2018-08-24 11:08:30
> 2018-08-24 11:08:31,430 fail2ban.actions [25601]: WARNING [assp]
> 200.29.108.214 already banned
>
> 2018-08-24 11:09:52,269 fail2ban.filter [25601]: INFO
> [suricata] Found 180.76.52.236 - 2018-08-24 11:09:52
> 2018-08-24 11:09:52,573 fail2ban.actions [25601]: WARNING
> [suricata] 180.76.52.236 already banned
>
> 2018-08-24 11:12:44,775 fail2ban.filter [25601]: INFO [assp]
> Found 80.82.70.225 - 2018-08-24 11:12:43
> 2018-08-24 11:12:45,299 fail2ban.actions [25601]: WARNING [assp]
> 80.82.70.225 already banned
> ----[ end ]----
>
> ----[ jail rules ]----
> [assp]
> enabled = true
> port = smtp,465,submission
> logpath = /usr/local/bin/assp2/logs/maillog.txt
> datepattern = %%Y-%%m-%%d_%%H:%%M:%%S
> #
> bantime = 1w
> maxretry = 2
> findtime = 8h
> action = iptables-multiport[name=assp, port="smtp,465,submission",
> protocol=tcp]
> # sendmail-whois[name=assp, [email protected],
> [email protected]]
>
>
> [suricata]
> enabled = true
> port = smtp,465,submission
> logpath = /data01/var/log/suricata/fast.log
> datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
> #
> bantime = 1w
> maxretry = 2
> findtime = 24h
> action = iptables-multiport[name=suricata, port="smtp,465,submission",
> protocol=tcp]
> ----[ end ]----
>
> ----[ status results ]----
> Status for the jail: assp
> |- Filter
> | |- Currently failed: 30
> | |- Total failed: 2726
> | `- File list: /usr/local/bin/assp2/logs/maillog.txt
> `- Actions
> |- Currently banned: 96
> |- Total banned: 136
> Status for the jail: suricata
> |- Filter
> | |- Currently failed: 111
> | |- Total failed: 1883
> | `- File list: /data01/var/log/suricata/fast.log
> `- Actions
> |- Currently banned: 400
> |- Total banned: 412
> ----[ end ]----
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> Think.
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
--
-- Tony Collins
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
