On Sun, 17 Jan 2021, James Moe via Fail2ban-users wrote:
On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote:
We have a regex that "matches" but I watch fail2ban.log with "tail
-F" and I watch match and match and match
and not ban.
I see a similar pattern here for this reason: When f2b scans a log file it
finds multiple log entries of an attack, and lists them all as an INFO. Then at
the end of the scan, the IP is banned.
Your f2b log shows f2b was restarted before the scan was finished. After the
restart, the scan continued and the IP was ultimately banned.
I snipped my fail2ban log output in for the interest of brevity, but those
log entries went back at least 10 seconds.
The snippet I showed included two or three seconds, which should have been
enough to make a decision. It was more than the threshhold of N hits in N
seconds, certainly.
If you'd like more log samples, I can get you them.
For example, a recent grepout of my logs for a single ip where this
happened gives me a 1.4G log file. Uncompressed -- this is just the
fail2ban log lines for a single IP.
It reveals that the offending ip *is* ultimately being banned but not
nearly as quickly as it could be. (Taking hours to do so in some cases).
It seems like some of this was related to the size of Fail2Ban's sqlite
database -- clearing that and starting anew solved this somewhat, but not
completely.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
