Fail2ban - recidive filter not working?

rmk (Reggie Ho) 2017-11-23 14:08:36 UTC #1

After the recent fail2ban update… I notice the IP is already in recidive ban isn’t taking priority to reject re-occuring IP, it seems the other jail filters ie in dovecot not recognizing that it already banned.

Pls see the log file below… I thought when an IP already banned in recidive, it would reject or drop that IP over other Jail filters…

2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:28,409 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 00:44:29,062 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned
2017-11-22 01:44:28,141 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Unban 5.188.11.11
2017-11-22 01:44:28,436 fail2ban.actions [2194]: NOTICE [dovecot] Unban 5.188.11.11
2017-11-22 01:48:34,820 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 01:48:35,164 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 02:30:45,785 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:30:46,702 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11 2017-11-22 02:51:50,484 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11
2017-11-22 02:51:50,938 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:56,791 fail2ban.filter [2194]: INFO [dovecot] Found 5.188.11.11 2017-11-22 03:12:57,135 fail2ban.filter [2194]: INFO [dovecot-nethserver] Found 5.188.11.11
2017-11-22 03:12:57,522 fail2ban.actions [2194]: NOTICE [dovecot-nethserver] Ban 5.188.11.11 2017-11-22 03:12:57,634 fail2ban.actions [2194]: NOTICE [dovecot] Ban 5.188.11.11
2017-11-22 03:12:58,023 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,024 fail2ban.filter [2194]: INFO [recidive] Found 5.188.11.11
2017-11-22 03:12:58,067 fail2ban.actions [2194]: NOTICE [recidive] 5.188.11.11 already banned

stephdl (Stéphane de Labrusse) 2017-11-23 14:49:50 UTC #2

please issue

fail2ban-client status recidive

and

shorewall show dynamic

rmk (Reggie Ho) 2017-11-23 15:09:32 UTC #3

fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 7
| |- Total failed: 41
| - File list: /var/log/fail2ban.log- Actions
|- Currently banned: 32
|- Total banned: 32
`- Banned IP list: 125.126.166.178 162.217.133.128 162.217.133.13 162.217.133.131 181.143.94.74 185.165.31.17 187.18.101.127 187.94.111.100 189.1.185.148 209.171.16.89 209.171.16.90 209.171.16.91 209.171.16.93 37.49.227.101 5.188.86.68 69.94.155.104 69.94.155.105 69.94.155.106 69.94.155.107 69.94.155.108 69.94.155.13 69.94.157.175 84.33.9.107 84.33.9.110 84.33.9.210 90.145.157.149 5.188.11.11 216.144.244.235 74.63.222.11 192.163.227.68

Shorewall 5.0.14.1 Chain dynamic at xxx.xxxx.com - Thu Nov 23 07:06:21 PST 2017

Counters reset Tue Nov 21 12:14:25 PST 2017

Chain dynamic (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 103.5.62.123 0.0.0.0/0
0 0 DROP all – * * 111.181.64.71 0.0.0.0/0
0 0 DROP all – * * 114.237.12.138 0.0.0.0/0
0 0 DROP all – * * 154.16.138.25 0.0.0.0/0
0 0 DROP all – * * 156.67.106.248 0.0.0.0/0
0 0 DROP all – * * 162.144.206.206 0.0.0.0/0
0 0 DROP all – * * 162.144.207.6 0.0.0.0/0
0 0 DROP all – * * 168.235.81.36 0.0.0.0/0
0 0 DROP all – * * 171.112.167.46 0.0.0.0/0
0 0 DROP all – * * 171.112.170.220 0.0.0.0/0
0 0 DROP all – * * 176.215.3.166 0.0.0.0/0
0 0 DROP all – * * 178.32.68.69 0.0.0.0/0
0 0 DROP all – * * 180.115.164.134 0.0.0.0/0
0 0 DROP all – * * 180.141.100.95 0.0.0.0/0
0 0 DROP all – * * 190.128.186.98 0.0.0.0/0
0 0 DROP all – * * 193.28.86.47 0.0.0.0/0
0 0 DROP all – * * 195.5.49.49 0.0.0.0/0
0 0 DROP all – * * 27.16.114.157 0.0.0.0/0
0 0 DROP all – * * 27.16.25.142 0.0.0.0/0
0 0 DROP all – * * 27.16.25.180 0.0.0.0/0
0 0 DROP all – * * 27.16.25.206 0.0.0.0/0
0 0 DROP all – * * 27.16.26.165 0.0.0.0/0
0 0 DROP all – * * 27.16.95.199 0.0.0.0/0
0 0 DROP all – * * 41.204.40.210 0.0.0.0/0
0 0 DROP all – * * 46.45.15.160 0.0.0.0/0
0 0 DROP all – * * 58.50.1.14 0.0.0.0/0
0 0 DROP all – * * 58.51.132.223 0.0.0.0/0
0 0 DROP all – * * 58.51.135.124 0.0.0.0/0
0 0 DROP all – * * 58.55.192.131 0.0.0.0/0
0 0 DROP all – * * 58.55.206.207 0.0.0.0/0
0 0 DROP all – * * 58.55.212.175 0.0.0.0/0
0 0 DROP all – * * 59.63.248.200 0.0.0.0/0
0 0 DROP all – * * 60.169.114.102 0.0.0.0/0
0 0 DROP all – * * 62.106.101.103 0.0.0.0/0
0 0 DROP all – * * 69.164.215.49 0.0.0.0/0
3 120 DROP all – * * 80.82.77.139 0.0.0.0/0
0 0 DROP all – * * 81.171.26.140 0.0.0.0/0
0 0 DROP all – * * 81.171.26.155 0.0.0.0/0
0 0 DROP all – * * 85.153.100.135 0.0.0.0/0
0 0 DROP all – * * 85.153.100.144 0.0.0.0/0
0 0 DROP all – * * 85.153.100.146 0.0.0.0/0
0 0 DROP all – * * 89.163.243.155 0.0.0.0/0
0 0 DROP all – * * 89.163.247.47 0.0.0.0/0
0 0 DROP all – * * 89.163.249.137 0.0.0.0/0
0 0 DROP all – * * 91.192.173.234 0.0.0.0/0
0 0 DROP all – * * 111.176.30.232 0.0.0.0/0
0 0 DROP all – * * 157.0.9.77 0.0.0.0/0
0 0 DROP all – * * 171.43.13.157 0.0.0.0/0
0 0 DROP all – * * 27.16.94.238 0.0.0.0/0
0 0 DROP all – * * 27.218.94.2 0.0.0.0/0
4 160 DROP all – * * 80.82.77.33 0.0.0.0/0
0 0 DROP all – * * 114.221.150.189 0.0.0.0/0
0 0 DROP all – * * 46.8.18.60 0.0.0.0/0
0 0 DROP all – * * 46.8.18.69 0.0.0.0/0
0 0 DROP all – * * 125.126.166.178 0.0.0.0/0
0 0 DROP all – * * 162.217.133.128 0.0.0.0/0
0 0 DROP all – * * 162.217.133.13 0.0.0.0/0
0 0 DROP all – * * 162.217.133.131 0.0.0.0/0
0 0 DROP all – * * 181.143.94.74 0.0.0.0/0
0 0 DROP all – * * 185.165.31.17 0.0.0.0/0
0 0 DROP all – * * 187.18.101.127 0.0.0.0/0
0 0 DROP all – * * 187.94.111.100 0.0.0.0/0
0 0 DROP all – * * 189.1.185.148 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.89 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.90 0.0.0.0/0
192 11520 DROP all – * * 209.171.16.91 0.0.0.0/0
576 34560 DROP all – * * 209.171.16.93 0.0.0.0/0
0 0 DROP all – * * 37.49.227.101 0.0.0.0/0
276 16560 DROP all – * * 5.188.86.68 0.0.0.0/0
0 0 DROP all – * * 69.94.155.104 0.0.0.0/0
0 0 DROP all – * * 69.94.155.105 0.0.0.0/0
0 0 DROP all – * * 69.94.155.106 0.0.0.0/0
0 0 DROP all – * * 69.94.155.107 0.0.0.0/0
0 0 DROP all – * * 69.94.155.108 0.0.0.0/0
0 0 DROP all – * * 69.94.155.13 0.0.0.0/0
0 0 DROP all – * * 69.94.157.175 0.0.0.0/0
0 0 DROP all – * * 84.33.9.107 0.0.0.0/0
0 0 DROP all – * * 84.33.9.110 0.0.0.0/0
0 0 DROP all – * * 84.33.9.210 0.0.0.0/0
0 0 DROP all – * * 90.145.157.149 0.0.0.0/0
0 0 DROP all – * * 216.144.244.235 0.0.0.0/0
0 0 DROP all – * * 74.63.222.11 0.0.0.0/0
0 0 DROP all – * * 192.163.227.68 0.0.0.0/0

Thanks again for your prompt response…

stephdl (Stéphane de Labrusse) 2017-11-23 15:18:30 UTC #4

like you can see the ip 5.188.11.11 is banned in the recidive jail, but i cannot find it in the shorewall list

stephdl (Stéphane de Labrusse) 2017-11-23 15:33:36 UTC #5

try to unban this IP

fail2ban-unban 5.188.11.11

or try to restart fail2ban

signal-event nethserver-fail2ban-save

rmk (Reggie Ho) 2017-11-23 15:36:13 UTC #6

Thanks… I’d give that a try…
But may have to wait until the next IP attack… I’d keep monitoring…
Appreciate your assistance… Cheers

danb35 (Dan) 2018-02-21 00:27:22 UTC #7

I’m having a similar problem–these two IPs were banned by recidive yesterday, but I get emails every 30 minutes (I adjusted that setting from default) that they’re banned by postfix.

[root@neth ~]# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed:	6
|  |- Total failed:	78
|  `- File list:	/var/log/fail2ban.log
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:	108.60.195.213 208.53.48.218
[root@neth ~]# shorewall show dynamic
Shorewall 5.1.10.2 Chain dynamic at neth.familybrown.org - Tue Feb 20 19:24:08 EST 2018

Counters reset Mon Feb 19 14:35:38 EST 2018

Chain dynamic (9 references)
 pkts bytes target     prot opt in     out     source               destination         
   50  3000 DROP       all  --  *      *       108.60.195.213       0.0.0.0/0           
   25  1500 DROP       all  --  *      *       208.53.48.218        0.0.0.0/0           

[root@neth ~]#

I just tried un-banning them; I’ll see what happens and report further.

Edit: Well, that didn’t take long–less than two minutes later, and the 208. IP is already banned again.

Edit 2: …and three minutes later, the 108. IP is banned. Both by the postfix filter.

rmk (Reggie Ho) 2018-02-21 02:49:12 UTC #8

Try running

 shorewall show dynamic

and see whether that the 2 IPs are also showing in the list…
otherwise maybe restart fail2ban … using

signal-event nethserver-fail2ban-save

stephdl (Stéphane de Labrusse) 2018-02-21 08:45:39 UTC #9

I just noticed it yesterday, take a look to the fail2ban log, the Ip is unbanned even if the relevant IP is still banned in recidive…I’m watching it

as a side note you have a wrapper to check all jails and banned IP

fail2ban-listban

danb35 (Dan) 2018-02-21 13:18:00 UTC #10

Do you need further testing or information?

stephdl (Stéphane de Labrusse) 2018-02-21 16:32:17 UTC #11

Nothing more on ns7 yet but I would be pleased if the issue is reproducible in ns6.