On Tue, 19 Jan 2021, James Moe via Fail2ban-users wrote:
On 1/19/21 2:33 AM, Dan Mahoney (Gushi) wrote:
The snippet I showed included two or three seconds, which should have been
enough to make a decision. It was more than the threshhold of N hits in N
seconds, certainly.
I did not realize the size of the problem. Your conjecture that f2b is too
busy listing matched entries and never getting to banning may be valid.
You mention that just a single IP produced a 1.4G output. Perhaps f2b has a 2G
file size issue?
We are currently using version 0.10.4; I believe the current stable version
0.11.x. (There is even a 1.0 in the works.) Have you tried using a later version
of f2b?
If you'd like more log samples, I can get you them.
I was interested in the time between scans. Does f2b really just stop,
ignoring the evidence? Or does it continually list discoveries without stopping?
In one case I've got here I see:
2021-01-03 06:49:10,131 fail2ban.jail [2315]: INFO Jail
'asterisk' started
2021-01-03 06:49:27,171 fail2ban.filter [2315]: INFO [asterisk]
Found 167.99.151.220
And then many, many entries like that until a ban at timestamp:
2021-01-03 06:49:39,850 fail2ban.actions [2315]: NOTICE [asterisk]
Ban 167.99.151.220
2021-01-03 06:49:39,855 fail2ban.filter [2315]: INFO [asterisk]
Found 167.99.151.220
2021-01-03 06:49:39,931 fail2ban.filter [2315]: INFO [asterisk]
Found 167.99.151.220
2021-01-03 06:49:39,936 fail2ban.filter [2315]: INFO [asterisk]
Found 167.99.151.220
Ten seconds doesn't seem like a lot, but it's a huge number of entries.
In total, this file has 6 *million* attempts. For one IP.
To wit:
/var/log# grep 'Found 167.99.151.220' fail2ban.log.10 | wc -l
6373481
Note that when a ban like this hits, it's not uncommon when the requests
are coming in so quickly to continue seeing "Found" before you ultimately
see "Already Blocked" entries.
Even paging through it to see what happened is complicated. (I've bumped
my logs down to "hourly").
===
As to your question about a newer version. I'm using what was built in to
this version of Debian's packages. I could certainly try a newer version,
but most of my searches of the bug tracker didn't reveal a smoking gun
here of a specific issue fixed between then and now (just general "better
bits" stuff), so going outside of the usual packages involves some risk on
a company's production phone server.
It's certainly worth a try but I was asking here first.
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
