Fail2ban - recidive filter not working?

rmk · November 23, 2017, 2:08pm

After the recent fail2ban update… I notice the IP is already in recidive ban isn’t taking priority to reject re-occuring IP, it seems the other jail filters ie in dovecot not recognizing that it already banned.

Pls see the log file below… I thought when an IP already banned in recidive, it would reject or drop that IP over other Jail filters…

2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:29,062 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned
2017-11-22 01:44:28,141 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Unban 5.188.11.11
2017-11-22 01:44:28,436 fail2ban.actions [2194]: NOTICE [dovecot] Unban 5.188.11.11
2017-11-22 01:48:34,820 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 01:48:35,164 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 02:30:45,785 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:30:46,702 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11 2017-11-22 02:51:50,484 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:51:50,938 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:56,791 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11 2017-11-22 03:12:57,135 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:57,522 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Ban 5.188.11.11 2017-11-22 03:12:57,634 fail2ban.actions [2194]: NOTICE [dovecot] Ban 5.188.11.11
2017-11-22 03:12:58,023 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,024 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,067 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned

stephdl · November 23, 2017, 2:49pm

please issue

fail2ban-client status recidive

and

shorewall show dynamic

rmk · November 23, 2017, 3:09pm

fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 7
| |- Total failed: 41
| - File list: /var/log/fail2ban.log- Actions
|- Currently banned: 32
|- Total banned: 32
`- Banned IP list: 125.126.166.178 162.217.133.128 162.217.133.13 162.217.133.131 181.143.94.74 185.165.31.17 187.18.101.127 187.94.111.100 189.1.185.148 209.171.16.89 209.171.16.90 209.171.16.91 209.171.16.93 37.49.227.101 5.188.86.68 69.94.155.104 69.94.155.105 69.94.155.106 69.94.155.107 69.94.155.108 69.94.155.13 69.94.157.175 84.33.9.107 84.33.9.110 84.33.9.210 90.145.157.149 5.188.11.11 216.144.244.235 74.63.222.11 192.163.227.68

Shorewall 5.0.14.1 Chain dynamic at xxx.xxxx.com - Thu Nov 23 07:06:21 PST 2017

Counters reset Tue Nov 21 12:14:25 PST 2017

Chain dynamic (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 103.5.62.123 0.0.0.0/0
0 0 DROP all – * * 111.181.64.71 0.0.0.0/0
0 0 DROP all – * * 114.237.12.138 0.0.0.0/0
0 0 DROP all – * * 154.16.138.25 0.0.0.0/0
0 0 DROP all – * * 156.67.106.248 0.0.0.0/0
0 0 DROP all – * * 162.144.206.206 0.0.0.0/0
0 0 DROP all – * * 162.144.207.6 0.0.0.0/0
0 0 DROP all – * * 168.235.81.36 0.0.0.0/0
0 0 DROP all – * * 171.112.167.46 0.0.0.0/0
0 0 DROP all – * * 171.112.170.220 0.0.0.0/0
0 0 DROP all – * * 176.215.3.166 0.0.0.0/0
0 0 DROP all – * * 178.32.68.69 0.0.0.0/0
0 0 DROP all – * * 180.115.164.134 0.0.0.0/0
0 0 DROP all – * * 180.141.100.95 0.0.0.0/0
0 0 DROP all – * * 190.128.186.98 0.0.0.0/0
0 0 DROP all – * * 193.28.86.47 0.0.0.0/0
0 0 DROP all – * * 195.5.49.49 0.0.0.0/0
0 0 DROP all – * * 27.16.114.157 0.0.0.0/0
0 0 DROP all – * * 27.16.25.142 0.0.0.0/0
0 0 DROP all – * * 27.16.25.180 0.0.0.0/0
0 0 DROP all – * * 27.16.25.206 0.0.0.0/0
0 0 DROP all – * * 27.16.26.165 0.0.0.0/0
0 0 DROP all – * * 27.16.95.199 0.0.0.0/0
0 0 DROP all – * * 41.204.40.210 0.0.0.0/0
0 0 DROP all – * * 46.45.15.160 0.0.0.0/0
0 0 DROP all – * * 58.50.1.14 0.0.0.0/0
0 0 DROP all – * * 58.51.132.223 0.0.0.0/0
0 0 DROP all – * * 58.51.135.124 0.0.0.0/0
0 0 DROP all – * * 58.55.192.131 0.0.0.0/0
0 0 DROP all – * * 58.55.206.207 0.0.0.0/0
0 0 DROP all – * * 58.55.212.175 0.0.0.0/0
0 0 DROP all – * * 59.63.248.200 0.0.0.0/0
0 0 DROP all – * * 60.169.114.102 0.0.0.0/0
0 0 DROP all – * * 62.106.101.103 0.0.0.0/0
0 0 DROP all – * * 69.164.215.49 0.0.0.0/0
3 120 DROP all – * * 80.82.77.139 0.0.0.0/0
0 0 DROP all – * * 81.171.26.140 0.0.0.0/0
0 0 DROP all – * * 81.171.26.155 0.0.0.0/0
0 0 DROP all – * * 85.153.100.135 0.0.0.0/0
0 0 DROP all – * * 85.153.100.144 0.0.0.0/0
0 0 DROP all – * * 85.153.100.146 0.0.0.0/0
0 0 DROP all – * * 89.163.243.155 0.0.0.0/0
0 0 DROP all – * * 89.163.247.47 0.0.0.0/0
0 0 DROP all – * * 89.163.249.137 0.0.0.0/0
0 0 DROP all – * * 91.192.173.234 0.0.0.0/0
0 0 DROP all – * * 111.176.30.232 0.0.0.0/0
0 0 DROP all – * * 157.0.9.77 0.0.0.0/0
0 0 DROP all – * * 171.43.13.157 0.0.0.0/0
0 0 DROP all – * * 27.16.94.238 0.0.0.0/0
0 0 DROP all – * * 27.218.94.2 0.0.0.0/0
4 160 DROP all – * * 80.82.77.33 0.0.0.0/0
0 0 DROP all – * * 114.221.150.189 0.0.0.0/0
0 0 DROP all – * * 46.8.18.60 0.0.0.0/0
0 0 DROP all – * * 46.8.18.69 0.0.0.0/0
0 0 DROP all – * * 125.126.166.178 0.0.0.0/0
0 0 DROP all – * * 162.217.133.128 0.0.0.0/0
0 0 DROP all – * * 162.217.133.13 0.0.0.0/0
0 0 DROP all – * * 162.217.133.131 0.0.0.0/0
0 0 DROP all – * * 181.143.94.74 0.0.0.0/0
0 0 DROP all – * * 185.165.31.17 0.0.0.0/0
0 0 DROP all – * * 187.18.101.127 0.0.0.0/0
0 0 DROP all – * * 187.94.111.100 0.0.0.0/0
0 0 DROP all – * * 189.1.185.148 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.89 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.90 0.0.0.0/0
192 11520 DROP all – * * 209.171.16.91 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.93 0.0.0.0/0
0 0 DROP all – * * 37.49.227.101 0.0.0.0/0
276 16560 DROP all – * * 5.188.86.68 0.0.0.0/0
0 0 DROP all – * * 69.94.155.104 0.0.0.0/0
0 0 DROP all – * * 69.94.155.105 0.0.0.0/0
0 0 DROP all – * * 69.94.155.106 0.0.0.0/0
0 0 DROP all – * * 69.94.155.107 0.0.0.0/0
0 0 DROP all – * * 69.94.155.108 0.0.0.0/0
0 0 DROP all – * * 69.94.155.13 0.0.0.0/0
0 0 DROP all – * * 69.94.157.175 0.0.0.0/0
0 0 DROP all – * * 84.33.9.107 0.0.0.0/0
0 0 DROP all – * * 84.33.9.110 0.0.0.0/0
0 0 DROP all – * * 84.33.9.210 0.0.0.0/0
0 0 DROP all – * * 90.145.157.149 0.0.0.0/0
0 0 DROP all – * * 216.144.244.235 0.0.0.0/0
0 0 DROP all – * * 74.63.222.11 0.0.0.0/0
0 0 DROP all – * * 192.163.227.68 0.0.0.0/0

Thanks again for your prompt response…

stephdl · November 23, 2017, 3:18pm

like you can see the ip 5.188.11.11 is banned in the recidive jail, but i cannot find it in the shorewall list

stephdl · November 23, 2017, 3:33pm

try to unban this IP

fail2ban-unban 5.188.11.11

or try to restart fail2ban

signal-event nethserver-fail2ban-save

rmk · November 23, 2017, 3:36pm

Thanks… I’d give that a try…
But may have to wait until the next IP attack… I’d keep monitoring…
Appreciate your assistance… Cheers

danb35 · February 21, 2018, 12:27am

I’m having a similar problem–these two IPs were banned by recidive yesterday, but I get emails every 30 minutes (I adjusted that setting from default) that they’re banned by postfix.

[root@neth ~]# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed:	6
|  |- Total failed:	78
|  `- File list:	/var/log/fail2ban.log
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:	108.60.195.213 208.53.48.218
[root@neth ~]# shorewall show dynamic
Shorewall 5.1.10.2 Chain dynamic at neth.familybrown.org - Tue Feb 20 19:24:08 EST 2018

Counters reset Mon Feb 19 14:35:38 EST 2018

Chain dynamic (9 references)
 pkts bytes target     prot opt in     out     source               destination         
   50  3000 DROP       all  --  *      *       108.60.195.213       0.0.0.0/0           
   25  1500 DROP       all  --  *      *       208.53.48.218        0.0.0.0/0           

[root@neth ~]#

I just tried un-banning them; I’ll see what happens and report further.

Edit: Well, that didn’t take long–less than two minutes later, and the 208. IP is already banned again.

Edit 2: …and three minutes later, the 108. IP is banned. Both by the postfix filter.

rmk · February 21, 2018, 2:49am

Try running

 shorewall show dynamic

and see whether that the 2 IPs are also showing in the list…
otherwise maybe restart fail2ban … using

signal-event nethserver-fail2ban-save

stephdl · February 21, 2018, 8:45am

I just noticed it yesterday, take a look to the fail2ban log, the Ip is unbanned even if the relevant IP is still banned in recidive…I’m watching it

as a side note you have a wrapper to check all jails and banned IP

fail2ban-listban

danb35 · February 21, 2018, 1:18pm

Do you need further testing or information?

stephdl · February 21, 2018, 4:32pm

Nothing more on ns7 yet but I would be pleased if the issue is reproducible in ns6.