Fail2ban maximum attempts

france · June 15, 2019, 10:09am

NethServer release 7.6.1810 (final)
Name : fail2ban
Arch : noarch
Version : 0.9.7
Release : 1.el7

Hi everyone, I don’t understand why in the gui I have set a maximum number of attempts for the ban to 2, I receive a notification email where the number of attempts is 7.
The 95.x.x.x IP has just been banned from Fail2Ban later
7 attempts against apache-auth.

federico.ballarini · June 15, 2019, 3:39pm

config getprop fail2ban MaxRetry

Can you check with this command if the attempts are correctly set?

france · June 15, 2019, 4:29pm

Hi Federico, here’s how:
[root @ neth7 ~] # config getprop fail2ban MaxRetry 2

stephdl · June 15, 2019, 7:21pm

check in /etc/fail2ban/jail.local what is the Max_retry of this apache jail, you could also set a specific max_retry per jail, check

config show fail2ban | grep Apache_MaxRetry

then as all software, you could restart fail2ban

signal-event nethserver-fail2ban-save

we miss logs to understand if it continues, we need to cross compare several logs

messages
apache
fail2ban

france · June 15, 2019, 8:08pm

Hi stephdl

My jail.conf:

port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1

Logs fail2ban is empty

var/log/messages
Jun 15 21:55:54 neth7 esmith::event[8649]: [INFO] service fail2ban restart
Jun 15 21:55:54 neth7 systemd: Stopping Fail2Ban Service…
Jun 15 21:56:14 neth7 fail2ban-client: Shutdown successful
Jun 15 21:56:14 neth7 systemd: Stopped Fail2Ban Service.
Jun 15 21:56:14 neth7 systemd: Starting Fail2Ban Service…
Jun 15 21:56:15 neth7 fail2ban-client: 2019-06-15 21:56:15,478 fail2ban.server [8787]: INFO Starting Fail2ban v0.9.7
Jun 15 21:56:15 neth7 fail2ban-client: 2019-06-15 21:56:15,478 fail2ban.server [8787]: INFO Starting in daemon mode
Jun 15 21:56:16 neth7 systemd: Started Fail2Ban Service.
Jun 15 21:56:16 neth7 esmith::event[8649]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [23.370661]
Jun 15 21:56:16 neth7 esmith::event[8649]: Event: nethserver-fail2ban-save

config show fail2ban | grep Apache_MaxRetry
Apache_MaxRetry=

stephdl · June 15, 2019, 8:17pm

it should not

check /var/log/fail2ban.log

france · June 15, 2019, 9:00pm

[root@neth7 log]# ls -l fail2ban.log

-rw------- 1 root root 0 Jun 13 06:03 fail2ban.log

france · June 16, 2019, 3:32pm

hi I did further checks, and I noticed that fail2ban today has banned IP addresses previously banned. This time I checked ssl_access.log ssl_error.log but no trace of the attempts. I use wordpress only in LAN, but by coincidence as soon as I load the page after a short time, they represent the ban email. I’m not sure, or would like to say stupid, but is it possible that there is a database error or something else? I say this because the addresses are already blocked by the firewall one by one so I wonder how it can ban an ip that doesn’t come to the server. I hope I was clear, but my guesses are!
I noticed that these emails being notified are because they are found in the ban jail. disabling and re-enabling fail2ban are immediately sent notifications.

Thank you