After the recent fail2ban update… I notice the IP is already in recidive ban isn’t taking priority to reject re-occuring IP, it seems the other jail filters ie in dovecot not recognizing that it already banned.
Pls see the log file below… I thought when an IP already banned in recidive, it would reject or drop that IP over other Jail filters…
2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:29,062 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned
2017-11-22 01:44:28,141 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Unban 5.188.11.11
2017-11-22 01:44:28,436 fail2ban.actions [2194]: NOTICE [dovecot] Unban 5.188.11.11
2017-11-22 01:48:34,820 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 01:48:35,164 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 02:30:45,785 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:30:46,702 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11 2017-11-22 02:51:50,484 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:51:50,938 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:56,791 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11 2017-11-22 03:12:57,135 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:57,522 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Ban 5.188.11.11 2017-11-22 03:12:57,634 fail2ban.actions [2194]: NOTICE [dovecot] Ban 5.188.11.11
2017-11-22 03:12:58,023 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,024 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,067 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned
fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 7
| |- Total failed: 41
| - File list: /var/log/fail2ban.log - Actions
|- Currently banned: 32
|- Total banned: 32
`- Banned IP list: 125.126.166.178 162.217.133.128 162.217.133.13 162.217.133.131 181.143.94.74 185.165.31.17 187.18.101.127 187.94.111.100 189.1.185.148 209.171.16.89 209.171.16.90 209.171.16.91 209.171.16.93 37.49.227.101 5.188.86.68 69.94.155.104 69.94.155.105 69.94.155.106 69.94.155.107 69.94.155.108 69.94.155.13 69.94.157.175 84.33.9.107 84.33.9.110 84.33.9.210 90.145.157.149 5.188.11.11 216.144.244.235 74.63.222.11 192.163.227.68
Shorewall 5.0.14.1 Chain dynamic at xxx.xxxx.com - Thu Nov 23 07:06:21 PST 2017
Counters reset Tue Nov 21 12:14:25 PST 2017
Chain dynamic (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 103.5.62.123 0.0.0.0/0
0 0 DROP all – * * 111.181.64.71 0.0.0.0/0
0 0 DROP all – * * 114.237.12.138 0.0.0.0/0
0 0 DROP all – * * 154.16.138.25 0.0.0.0/0
0 0 DROP all – * * 156.67.106.248 0.0.0.0/0
0 0 DROP all – * * 162.144.206.206 0.0.0.0/0
0 0 DROP all – * * 162.144.207.6 0.0.0.0/0
0 0 DROP all – * * 168.235.81.36 0.0.0.0/0
0 0 DROP all – * * 171.112.167.46 0.0.0.0/0
0 0 DROP all – * * 171.112.170.220 0.0.0.0/0
0 0 DROP all – * * 176.215.3.166 0.0.0.0/0
0 0 DROP all – * * 178.32.68.69 0.0.0.0/0
0 0 DROP all – * * 180.115.164.134 0.0.0.0/0
0 0 DROP all – * * 180.141.100.95 0.0.0.0/0
0 0 DROP all – * * 190.128.186.98 0.0.0.0/0
0 0 DROP all – * * 193.28.86.47 0.0.0.0/0
0 0 DROP all – * * 195.5.49.49 0.0.0.0/0
0 0 DROP all – * * 27.16.114.157 0.0.0.0/0
0 0 DROP all – * * 27.16.25.142 0.0.0.0/0
0 0 DROP all – * * 27.16.25.180 0.0.0.0/0
0 0 DROP all – * * 27.16.25.206 0.0.0.0/0
0 0 DROP all – * * 27.16.26.165 0.0.0.0/0
0 0 DROP all – * * 27.16.95.199 0.0.0.0/0
0 0 DROP all – * * 41.204.40.210 0.0.0.0/0
0 0 DROP all – * * 46.45.15.160 0.0.0.0/0
0 0 DROP all – * * 58.50.1.14 0.0.0.0/0
0 0 DROP all – * * 58.51.132.223 0.0.0.0/0
0 0 DROP all – * * 58.51.135.124 0.0.0.0/0
0 0 DROP all – * * 58.55.192.131 0.0.0.0/0
0 0 DROP all – * * 58.55.206.207 0.0.0.0/0
0 0 DROP all – * * 58.55.212.175 0.0.0.0/0
0 0 DROP all – * * 59.63.248.200 0.0.0.0/0
0 0 DROP all – * * 60.169.114.102 0.0.0.0/0
0 0 DROP all – * * 62.106.101.103 0.0.0.0/0
0 0 DROP all – * * 69.164.215.49 0.0.0.0/0
3 120 DROP all – * * 80.82.77.139 0.0.0.0/0
0 0 DROP all – * * 81.171.26.140 0.0.0.0/0
0 0 DROP all – * * 81.171.26.155 0.0.0.0/0
0 0 DROP all – * * 85.153.100.135 0.0.0.0/0
0 0 DROP all – * * 85.153.100.144 0.0.0.0/0
0 0 DROP all – * * 85.153.100.146 0.0.0.0/0
0 0 DROP all – * * 89.163.243.155 0.0.0.0/0
0 0 DROP all – * * 89.163.247.47 0.0.0.0/0
0 0 DROP all – * * 89.163.249.137 0.0.0.0/0
0 0 DROP all – * * 91.192.173.234 0.0.0.0/0
0 0 DROP all – * * 111.176.30.232 0.0.0.0/0
0 0 DROP all – * * 157.0.9.77 0.0.0.0/0
0 0 DROP all – * * 171.43.13.157 0.0.0.0/0
0 0 DROP all – * * 27.16.94.238 0.0.0.0/0
0 0 DROP all – * * 27.218.94.2 0.0.0.0/0
4 160 DROP all – * * 80.82.77.33 0.0.0.0/0
0 0 DROP all – * * 114.221.150.189 0.0.0.0/0
0 0 DROP all – * * 46.8.18.60 0.0.0.0/0
0 0 DROP all – * * 46.8.18.69 0.0.0.0/0
0 0 DROP all – * * 125.126.166.178 0.0.0.0/0
0 0 DROP all – * * 162.217.133.128 0.0.0.0/0
0 0 DROP all – * * 162.217.133.13 0.0.0.0/0
0 0 DROP all – * * 162.217.133.131 0.0.0.0/0
0 0 DROP all – * * 181.143.94.74 0.0.0.0/0
0 0 DROP all – * * 185.165.31.17 0.0.0.0/0
0 0 DROP all – * * 187.18.101.127 0.0.0.0/0
0 0 DROP all – * * 187.94.111.100 0.0.0.0/0
0 0 DROP all – * * 189.1.185.148 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.89 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.90 0.0.0.0/0
192 11520 DROP all – * * 209.171.16.91 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.93 0.0.0.0/0
0 0 DROP all – * * 37.49.227.101 0.0.0.0/0
276 16560 DROP all – * * 5.188.86.68 0.0.0.0/0
0 0 DROP all – * * 69.94.155.104 0.0.0.0/0
0 0 DROP all – * * 69.94.155.105 0.0.0.0/0
0 0 DROP all – * * 69.94.155.106 0.0.0.0/0
0 0 DROP all – * * 69.94.155.107 0.0.0.0/0
0 0 DROP all – * * 69.94.155.108 0.0.0.0/0
0 0 DROP all – * * 69.94.155.13 0.0.0.0/0
0 0 DROP all – * * 69.94.157.175 0.0.0.0/0
0 0 DROP all – * * 84.33.9.107 0.0.0.0/0
0 0 DROP all – * * 84.33.9.110 0.0.0.0/0
0 0 DROP all – * * 84.33.9.210 0.0.0.0/0
0 0 DROP all – * * 90.145.157.149 0.0.0.0/0
0 0 DROP all – * * 216.144.244.235 0.0.0.0/0
0 0 DROP all – * * 74.63.222.11 0.0.0.0/0
0 0 DROP all – * * 192.163.227.68 0.0.0.0/0
I’m having a similar problem–these two IPs were banned by recidive yesterday, but I get emails every 30 minutes (I adjusted that setting from default) that they’re banned by postfix.
[root@neth ~]# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 6
| |- Total failed: 78
| `- File list: /var/log/fail2ban.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 108.60.195.213 208.53.48.218
[root@neth ~]# shorewall show dynamic
Shorewall 5.1.10.2 Chain dynamic at neth.familybrown.org - Tue Feb 20 19:24:08 EST 2018
Counters reset Mon Feb 19 14:35:38 EST 2018
Chain dynamic (9 references)
pkts bytes target prot opt in out source destination
50 3000 DROP all -- * * 108.60.195.213 0.0.0.0/0
25 1500 DROP all -- * * 208.53.48.218 0.0.0.0/0
[root@neth ~]#
I just tried un-banning them; I’ll see what happens and report further.
Edit: Well, that didn’t take long–less than two minutes later, and the 208. IP is already banned again.
Edit 2: …and three minutes later, the 108. IP is banned. Both by the postfix filter.