I've been doing a little experimentation with the support for successively increasing ban times in the current 0.11 codebase and had a few observations and a question.
In an actionban, <bantime> seems to always expand to the base bantime setting. But if I expand <raw-ticket>, I see something like: BanTicket: ip=36.67.106.106 time=1553724387.566927 bantime=3000 bancount=3 #attempts=4 matches=[... Interestingly, if bancount is 1, <raw-ticket> will show bantime=None. Is there any way to just get <bantime> to show the actual time of the ban? I keep getting this error in the logs: 2019-03-27 17:16:43,472 fail2ban.observer [26876]: INFO [sshd] Found 190.248.138.82, bad - 2019-03-27 17:16:43, 1 # -> 2.0 2019-03-27 17:16:43,472 fail2ban.observer [26876]: ERROR '>=' not supported between instances of 'NoneType' and 'int' Not sure where it's coming from, though. I don't think I've ever seen an address banned for the minimum time; the observer seems to immediately bump the ban time up to the next increment. But that might be because by now this machine has already seen most addresses which are going to probe it. When I set bantime.rndtime, it appears that non-integer values get passed on to ipset which causes failures: exec: ipset add f2b-sshd 138.97.64.22 timeout 1874.0727681174424 -exist stderr: "ipset v6.38: Syntax error: '1874.0727681174424' is invalid as number" - J< _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
