I have looked through the open and closed issues along with several searches and haven’t found this mentioned so I’m thinking I may have found a bug but wanted to ask here before opening an issue on github.
I have been attempting to send an email when banning actions occur that notify us what was banned and for how long. I noticed during my testing that the ban times reported to my script don’t seem to change unless I restart the daemon. Luckily this is easy to replicate but adding in a custom action. [Definition] actionban = printf %%b "ip: <ip>\nfailures: <failures>\nbantime: <bantime>\nF-USER: <F-USER>\n\n" <to_target> [Init] init = 123 target = /tmp/variable_test.log to_target = >> <target> Using this action I am able to see the values of the various variables that are getting passed to scripts. <bantime> does not increment as bans increase. I had read that the bantime could be off by one interation based on when the actionban increments the counter after it does the action. Ideally I would get the correct time here, but that could be accounted for with my script. ==> /var/log/fail2ban.log <== 2025-03-10 13:07:32,635 fail2ban.observer [3795941]: INFO [slapd] IP 10.0.0.13 is bad: 1 # last 2025-03-10 13:05:14 - incr 1m to 5m ==> /tmp/variable_test.log <== ip: 10.0.0.13 failures: 5 bantime: 60 F-USER: wilbur ==> /var/log/fail2ban.log <== 2025-03-10 13:12:50,817 fail2ban.observer [3795941]: INFO [slapd] IP 10.0.0.13 is bad: 2 # last 2025-03-10 13:07:32 - incr 1m to 30m ==> /tmp/variable_test.log <== ip: 10.0.0.13 failures: 4 bantime: 60 F-USER: wilbur ==> /var/log/fail2ban.log <== 2025-03-10 14:02:30,709 fail2ban.observer [3795941]: INFO [slapd] IP 10.0.0.13 is bad: 3 # last 2025-03-10 13:12:51 - incr 1m to 1h ==> /tmp/variable_test.log <== ip: 10.0.0.13 failures: 5 bantime: 60 F-USER: wilbur >From these logs you can see that the bantime is increasing correctly but the >increment value isn’t reporting accurately. 1m -> 5m was correct, then it >should have been 5m -> 30m but it reported 1m again, and then the last >instance there when it should have been 30m -> 1hr it again reported 1m and >also passed in the 1m to the script via the <bantime> variable. I have been >able to get bantime to report a different value by restarting the fail2ban >daemon but it again just repeats that bantime value until it is restarted >again later. Is there another variable I should be using other than bantime? Or did I stumble onto a bug that is calculating that variable? If this is a bug I am more than happy to open an issue and head down that path. This is fail2ban 1.0.2 just the packaged version that came from epel. I have not tried to build the latest version from source yet. --wilbur
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
