On 5/8/2021 12:36 PM, Nick Howitt wrote:
Exactly as I showed above. iptables-save does not show a single entry for that IP. The named log shows over 6000 entries for that IP. Fail2ban shows it getting detected repeatedly, and then saying it is already banned. Let me give an example:On 08/05/2021 19:03, Dan Egli wrote:Okay, something is up here. I'm still getting hammered by these idiots who are querying pizzaseo.com from my name server. So I looked at the list of banned IPs using iptables-save. Not that many. But when I was working on this I had a kludge script that would be run every 10 minutes, grep the logs, and insert an IPTables rule against anyone who was querying that domain. It also kept a list. That list is nearly 400 IPs long! So I was curious. I look at fail2ban.log. It's noticing everything okay, but it keeps saying the hosts are already banned. They are not. So how do I fix this? Here's an example of what I mean:So what does the f2b log show? perhaps try restarting it and watch for errors. If the IP is showing banned in the logs, what does the firewall show?# grep -c 2.169.102.71 /var/log/named/named.log 6029 # iptables-save | grep 2.169.102.71 <nothing> # grep 2.169.102.71 /var/log/fail2ban.log | grep -c already1454I don't know if f2b's database is screwed up or what. I tried using fail2ban-client unban 2.169.102.71 to see if by unbanning it f2b would re-add it to the database. But it doesn't happen. I've never tried an unban before, so I don't know what the normal output is, but all I see is a 1 by itself, with a return code of 0.I can go back to my kludge script for now, but I'd really like to get f2b working!
tail -f /var/log/fail2ban.log2021-05-08 13:18:38,288 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,290 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38 2021-05-08 13:18:38,575 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING [named-refused] 3.204.48.235 already banned 2021-05-08 13:18:40,505 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40 2021-05-08 13:18:40,506 fail2ban.filter [30973]: INFO [named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40
jupiter ~ # iptables-save | grep 3.204.48.235 jupiter ~ # Okay, if it's already banned, why isn't it showing in iptables-save? -- Dan Egli From my Test Server
OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
