On 08/05/2021 20:22, Dan Egli wrote:
On 5/8/2021 12:36 PM, Nick Howitt wrote:
On 08/05/2021 19:03, Dan Egli wrote:
Okay, something is up here. I'm still getting hammered by these
idiots who are querying pizzaseo.com from my name server. So I looked
at the list of banned IPs using iptables-save. Not that many. But
when I was working on this I had a kludge script that would be run
every 10 minutes, grep the logs, and insert an IPTables rule against
anyone who was querying that domain. It also kept a list. That list
is nearly 400 IPs long! So I was curious. I look at fail2ban.log.
It's noticing everything okay, but it keeps saying the hosts are
already banned. They are not. So how do I fix this? Here's an example
of what I mean:
# grep -c 2.169.102.71 /var/log/named/named.log
6029
# iptables-save | grep 2.169.102.71
<nothing>
# grep 2.169.102.71 /var/log/fail2ban.log | grep -c already
1454I don't know if f2b's database is screwed up or what. I tried
using fail2ban-client unban 2.169.102.71 to see if by unbanning it
f2b would re-add it to the database. But it doesn't happen. I've
never tried an unban before, so I don't know what the normal output
is, but all I see is a 1 by itself, with a return code of 0.
I can go back to my kludge script for now, but I'd really like to get
f2b working!
So what does the f2b log show? perhaps try restarting it and watch for
errors. If the IP is showing banned in the logs, what does the
firewall show?
Exactly as I showed above. iptables-save does not show a single entry
for that IP. The named log shows over 6000 entries for that IP. Fail2ban
shows it getting detected repeatedly, and then saying it is already
banned. Let me give an example:
tail -f /var/log/fail2ban.log
2021-05-08 13:18:38,288 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,289 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,290 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:38
2021-05-08 13:18:38,575 fail2ban.actions [30973]: WARNING
[named-refused] 3.204.48.235 already banned
2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING
[named-refused] 3.204.48.235 already banned
2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING
[named-refused] 3.204.48.235 already banned
2021-05-08 13:18:38,576 fail2ban.actions [30973]: WARNING
[named-refused] 3.204.48.235 already banned
2021-05-08 13:18:40,505 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40
2021-05-08 13:18:40,506 fail2ban.filter [30973]: INFO
[named-refused] Found 3.204.48.235 - 2021-05-08 13:18:40
jupiter ~ # iptables-save | grep 3.204.48.235
jupiter ~ #
Okay, if it's already banned, why isn't it showing in iptables-save?
That is why I saif to restart f2b. You should then see in the logs what
it is trying to re-ban.
I don't use iptables-save and prefer "iptables -nvL"
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
