Fail2ban - Recidive filter not banning IPs

fail2ban
v7

(Reggie Ho) #1

NethServer Version: 7.4.1708
Module: fail2ban

Seems like the fail2ban recidive filter is not working, after the recent updates of the fail2ban-module.

Referring to portion sample of the fail2ban log below :

on IP 181.143.79.106, 123.160.248.133, 192.69.93.24 … were also found by recidive filter, they were BANNED by postfix-ddos filter and unbanned in an hour … Seems like recidive filter did not banned them.
Why isn’t recidive filter banning these IPs ?

The recidive’s bantime was set at 1209600 (see below)

fail2ban-client get recidive bantime
1209600

-*****************************************-

2018-04-25 21:37:15,398 fail2ban.filter [31210]: INFO [postfix-ddos] Found 181.143.79.106
2018-04-25 21:37:15,399 fail2ban.filter [31210]: INFO [postfix-ddos] Found 181.143.79.106
2018-04-25 21:37:16,402 fail2ban.filter [31210]: INFO [postfix-ddos] Found 181.143.79.106
2018-04-25 21:37:17,404 fail2ban.filter [31210]: INFO [postfix-ddos] Found 181.143.79.106
2018-04-25 21:37:17,406 fail2ban.filter [31210]: INFO [postfix-ddos] Found 181.143.79.106
2018-04-25 21:37:17,957 fail2ban.actions [31210]: NOTICE [postfix-ddos] Ban 181.143.79.106
2018-04-25 21:37:18,080 fail2ban.filter [31210]: INFO [recidive] Found 181.143.79.106
2018-04-25 21:47:32,137 fail2ban.filter [31210]: INFO [postfix] Found 154.16.116.241
2018-04-25 22:19:08,825 fail2ban.filter [31210]: INFO [postfix-ddos] Found 123.160.248.133
2018-04-25 22:19:15,835 fail2ban.filter [31210]: INFO [postfix-ddos] Found 123.160.248.133
2018-04-25 22:19:27,846 fail2ban.filter [31210]: INFO [postfix-ddos] Found 123.160.248.133
2018-04-25 22:20:25,908 fail2ban.filter [31210]: INFO [postfix-ddos] Found 123.160.248.133
2018-04-25 22:20:26,642 fail2ban.actions [31210]: NOTICE [postfix-ddos] Ban 123.160.248.133 2018-04-25 22:20:27,528 fail2ban.filter [31210]: INFO [recidive] Found 123.160.248.133
2018-04-25 22:37:18,330 fail2ban.actions [31210]: NOTICE [postfix-ddos] Unban 181.143.79.106 2018-04-25 23:20:27,030 fail2ban.actions [31210]: NOTICE [postfix-ddos] Unban 123.160.248.133 2018-04-26 00:26:53,091 fail2ban.filter [31210]: INFO [postfix-ddos] Found 177.91.117.124
2018-04-26 01:12:01,747 fail2ban.filter [31210]: INFO [postfix] Found 223.73.176.229
2018-04-26 01:12:40,942 fail2ban.filter [31210]: INFO [postfix] Found 223.73.176.229
2018-04-26 02:04:11,670 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:11,670 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:12,673 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:12,674 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:12,674 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:13,537 fail2ban.actions [31210]: NOTICE [postfix-ddos] Ban 192.69.93.24
2018-04-26 02:04:13,689 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:13,690 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:13,691 fail2ban.filter [31210]: INFO [postfix-ddos] Found 192.69.93.24
2018-04-26 02:04:14,088 fail2ban.filter [31210]: INFO [recidive] Found 192.69.93.24
2018-04-26 02:20:53,303 fail2ban.filter [31210]: INFO [dovecot] Found 103.69.23.37
2018-04-26 02:20:53,457 fail2ban.filter [31210]: INFO [pam-generic-nethserver] Found 103.69.23.37 2018-04-26 02:21:00,288 fail2ban.filter [31210]: INFO [dovecot] Found 103.69.23.37
2018-04-26 02:21:00,464 fail2ban.filter [31210]: INFO [pam-generic-nethserver] Found 103.69.23.37 2018-04-26 02:21:02,607 fail2ban.filter [31210]: INFO [postfix-ddos] Found 103.69.23.37
2018-04-26 02:37:46,566 fail2ban.filter [31210]: INFO [dovecot] Found 83.76.64.77
2018-04-26 02:37:47,380 fail2ban.filter [31210]: INFO [pam-generic-nethserver] Found 83.76.64.77 2018-04-26 02:37:52,687 fail2ban.filter [31210]: INFO [dovecot] Found 83.76.64.77
2018-04-26 02:37:53,387 fail2ban.filter [31210]: INFO [pam-generic-nethserver] Found 83.76.64.77 2018-04-26 02:37:54,575 fail2ban.filter [31210]: INFO [postfix-ddos] Found 83.76.64.77
2018-04-26 03:04:13,754 fail2ban.actions [31210]: NOTICE [postfix-ddos] Unban 192.69.93.24


(Stéphane de Labrusse) #2

Like you see after a jail ban, then you match the recidive jail (recidive found), it is not a recidive ban. After several recidive found, then the recidive jail bans.


(Reggie Ho) #3

Thanks… oops… I misread the report… you are right…>R


(Stéphane de Labrusse) #4

No problem, please continue to watch logs