On Sun, 17 Jan 2021, James Moe via Fail2ban-users wrote:
On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote:
We have a regex that "matches" but I watch fail2ban.log with "tail
-F" and I watch match and match and match
and not ban.
I see a similar pattern here for this reason: When f2b scans a log file it
finds multiple log entries of an attack, and lists them all as an INFO. Then at
the end of the scan, the IP is banned.
Your f2b log shows f2b was restarted before the scan was finished. After the
restart, the scan continued and the IP was ultimately banned.
So, what ends the scan?
From what you're saying it sounds like fail2ban has to hit the EOF marker,
which would imply as long as one could fill the logs faster than fail2ban
can count, you can evade a block.
These are often very fast scans, attempts to push dozens or hundreds of
registrations/calls through our asterisk server all at once. (Yes, it has
to be public for historic reasons -- we have a global userbase).
Note: I watched the logs for at least ten seconds waiting for something to
happen, with screenfuls of the same ip not blocking. I gave it a good
shot to catch itself before restarting.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
