I'm using sipvicious to test that. If sipvicious send a fast flow of SIP requests (dozens per second), fail2ban does not ban the IP address until it has reached the end of the logfile. Because fai2ban parses the logfile slower than the SIP requests are received, fail2ban does not reach the end of the logfile.
If I send SIP requests more slowly, fail2ban works correctly. Le ven. 28 juin 2019 à 14:25, BASSAGET Cédric <[email protected]> a écrit : > Hello > I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to > detect tthat an IP address has to be banned and ban it > > Here's my fail2ban.log (truncated) : > 2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO > [asterisk] Found 91.121.2.x > ........ about 3000 same entries ..... > 2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO > [asterisk] Found 91.121.2.x > 2019-06-28 14:12:12,092 fail2ban.actions [24709]: NOTICE > [asterisk] Ban 91.121.2.x > > in jail.conf I have findtime=600 and maxretries=3. So ban action should be > triggered really more quickly. > > Lines > > Any idea about what can be wrong ? > I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and > jail config. > > Regards, > Cédric >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
