|
It is all to do with the sequence of events on your box and which
element f2b is trying to detect. As an example I've just had a
similar message with the postfix-sasl jail. An IP made a connection
at 13:43:38 and failed authentication in /var/log/secure at 13:43:38
and 13:43:41. These failures hit the maillog at 13:43:41 and
13:43:43. F2b is detecting based in maillog messages (there is no IP
information in the secure log). F2b found the first failure in the
maillog at 13:43:41,003 and immediately banned at 13:43:41,117. It
then found the second failure at 13:43:43,298 but as the IP was
already banned at that point, at 13:43:44,223 I received the
"already banned" message. It can happen more on disconnect type of events as well as you may already have existing open connections when f2b kicks in, and all the open connections will disconnect after f2b has made the block. Nick On 01/10/2018 01:06, James Moe via
Fail2ban-users wrote:
On 9/30/18 4:35 PM, James Moe via Fail2ban-users wrote:How do I ask iptables what is banned by fail2ban?Found it: $ iptables --list-rules f2b-assp And here is the entry for the example IP: -A f2b-assp -s 185.36.81.145/32 -j REJECT --reject-with icmp-port-unreachable I have further noticed that the other jail, suricata, does not have this issue even though the configuration is almost identical. |
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
