fail2ban-block-ip-range icon indicating copy to clipboard operation
fail2ban-block-ip-range copied to clipboard

Published 20 hours ago verified publisher icon WKnak

fail2ban old versions can't get ban status by IP

Open WKnak opened this issue 1 year ago • 4 comments

Some early versions of fail2ban cannot get the ban status directly from querying the IP. Example using fail2ban 0.11.1:

# fail2ban-client get sasl 194.169.175.0
2024-06-26 11:49:56,525 fail2ban                [2066492]: ERROR   NOK: ('Invalid command (no get action or not yet implemented)',)
Invalid command (no get action or not yet implemented)

But it is possible to get a list of all banned IP addresses in the jail using a different command, the last comma (,) is the separator character:

# fail2ban-client get sasl banip ,
194.169.175.0,194.169.176.10

FIX: It is not ideal to change the current implementation to always request the list instead of querying single IP, since it seems not efficient. But maybe instead create a constant for old behavior/compatibility with older fail2ban versions. Of course, upgrading to a new version of fail2ban will be better.

  • The IP addresses are obfuscated.

WKnak avatar Jun 26 '24 15:06 WKnak

It was implemented in fail2ban in this commit here:

https://github.com/fail2ban/fail2ban/commit/54b2208690e3c2fff00fbd9b197984d880e29a02?diff=unified&w=0#diff-b4fbc111cce5736af3c42e545e0db9dcff9606c1b72dbbc50fe7bb7ff620fd92

WKnak avatar Jun 26 '24 15:06 WKnak

@WKnak : can it be that you missed banned in your test between jail and IP?

Can you confirm that 0.11.1 behaves different to 0.11.2 (which is the version of EPEL7)

fail2ban-client --version
Fail2Ban v0.11.2

fail2ban-client set example-jail banip 1.2.3.5
1

fail2ban-client get example-jail banned 1.2.3.5
1

# test for a not banned IP:
fail2ban-client get example-jail banned 1.2.3.6
0

pbiering avatar Jun 27 '24 06:06 pbiering

fail2ban-client -V 0.11.1

fail2ban-client set sasl banip 1.2.3.5 1

fail2ban-client get sasl banned 1.2.3.5 2024-06-27 15:39:33,774 fail2ban [2503816]: ERROR NOK: ('Invalid command (no get action or not yet implemented)',)

test for a not banned IP: fail2ban-client get sasl banned 1.2.3.6 2024-06-27 15:39:38,417 fail2ban [2503823]: ERROR NOK: ('Invalid command (no get action or not yet implemented)',

WKnak avatar Jun 27 '24 18:06 WKnak

So it behaves different from 0.11.1 to 0.11.2 ... well it is already implemented, though, so in theory it is also compatible with older Fail2Ban versions now. I don't have a good environment to test, or to develop. The most important question in this implementatino is that it is now raising an exception. If you think there are better ways to refactor, please let me know or send your commits too! Thanks in advance!

WKnak avatar Jun 27 '24 18:06 WKnak