Sounds like we’re trying to help someone fix a spamming sip server. Should we be doing this? Forgive me if I’m wrong. Ron Sent from Mail for Windows 10 From: Dan Mahoney (Gushi) On Sun, 17 Jan 2021, James Moe via Fail2ban-users wrote: > On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote: > >> We have a regex that "matches" but I watch fail2ban.log with "tail >> -F" and I watch match and match and match >> and not ban. >> > I see a similar pattern here for this reason: When f2b scans a log file it > finds multiple log entries of an attack, and lists them all as an INFO. Then at > the end of the scan, the IP is banned. > Your f2b log shows f2b was restarted before the scan was finished. After the > restart, the scan continued and the IP was ultimately banned. So, what ends the scan? From what you're saying it sounds like fail2ban has to hit the EOF marker, which would imply as long as one could fill the logs faster than fail2ban can count, you can evade a block. These are often very fast scans, attempts to push dozens or hundreds of registrations/calls through our asterisk server all at once. (Yes, it has to be public for historic reasons -- we have a global userbase). Note: I watched the logs for at least ten seconds waiting for something to happen, with screenfuls of the same ip not blocking. I gave it a good shot to catch itself before restarting. -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org --------------------------- _______________________________________________ Fail2ban-users mailing list https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
