Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning icon indicating copy to clipboard operation
Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning copied to clipboard

Published 20 hours ago verified publisher icon mitchellkrogza

IPs on ip.blacklist not getting banned

Open lou-diamonds opened this issue 6 years ago • 9 comments

I'm running Fail2Ban v0.9.3

I've followed the script as described in the instructions & for some reason, the IPs on /etc/fail2ban/ip.blacklist are not getting banned.

After reviewing the fail2ban.log, it looks like asterisk is unbanning IPs that are on the ip.blacklist. The asterisk ban time works perfectly, but after their ban time expires, they unban the IP on the ip.blacklist.

Can you tell me how to troubleshoot, why they are not getting unbanned or how to keep them permanently banned?

lou-diamonds avatar Feb 23 '19 16:02 lou-diamonds

@lou-diamonds having the same issue, i have manually added in the ip.blacklist aprox 600 ip's but they are not banned. The actionstart inside blacklist.conf seems that it's not executed - if we look at the declaration it shoul do a sort of the ip's then ban them, which is does not (as i have intentionally added a duplicated ip on top of the list). If i find the problem will let you know.

juniorionut avatar Feb 24 '19 09:02 juniorionut

Forgot to mention that the jail seems to be working , but it ignores the ip.blacklist

2019-02-24 11:02:12,188 fail2ban.actions [27157]: NOTICE [blacklist] Flush ticket(s) with iptables-multiport 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 185.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x 2019-02-24 11:02:12,199 fail2ban.actions [27157]: NOTICE [blacklist] Unban 5.x.x.x 2019-02-24 11:02:12,442 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x 2019-02-24 11:02:12,480 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x 2019-02-24 11:02:12,504 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 185.x.x.x 2019-02-24 11:02:12,527 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x 2019-02-24 11:02:12,550 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x 2019-02-24 11:02:12,571 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 5.x.x.x

juniorionut avatar Feb 24 '19 09:02 juniorionut

@lou-diamonds for the problem that i have described above it is entirely my fault - inside my jail.local i had commented out banaction = blacklist , check if it's the same to you as after i enabled this the ip.blacklist is taken into account

juniorionut avatar Feb 24 '19 09:02 juniorionut

Hi @lou-diamonds unfortunately this has never been tested in conjunction with the asterisk filter so I guess they could very well conflict with each other.

@juniorionut are you using this in conjuction with asterisk?

mitchellkrogza avatar Feb 24 '19 11:02 mitchellkrogza

@juniorionut Unfortunately I don't have banaction = blacklist commented out. So, that's not the issue.

@mitchellkrogza Maybe we can see what the issue is. My jail.local is:

[DEFAULT] bantime = 60 findtime = 600 maxretry = 3 destemail = [email protected] sendername = Fail2Ban mta = sendmail filter = %(name)s port = 0:65535

Asterisk [asterisk] enabled = true port = 5060,5061 filter = asterisk action = %(banaction)s[name=%(name)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(name)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(name)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 3

[blacklist] enabled = true logpath = /var/log/fail2ban.* filter = blacklist banaction = blacklist bantime = 31536000 ; 1 year findtime = 31536000 ; 1 year maxretry = 2

Then here is my /var/log/fail2ban.log is:

2019-02-24 07:06:31,761 fail2ban.actions [1665]: NOTICE [asterisk] Unban 37...* 2019-02-24 07:06:33,190 fail2ban.actions [1665]: NOTICE [asterisk] Unban 5...* 2019-02-24 07:06:34,614 fail2ban.actions [1665]: NOTICE [asterisk] Unban 104...* 2019-02-24 07:06:34,716 fail2ban.actions [1665]: NOTICE [blacklist] 0...* already banned 2019-02-24 07:06:35,718 fail2ban.actions [1665]: NOTICE [blacklist] 185...* already banned 2019-02-24 07:06:36,720 fail2ban.actions [1665]: NOTICE [blacklist] 0...* already banned

There are plenty of IPs that remain banned but some asterisk will unban them from the blacklist ban & from the asterisk ban. However, if I change the default bantime to 10 days, asterisk will have this behavior every 10 days, instead of every 60 seconds like the example.

Any ideas?

lou-diamonds avatar Feb 24 '19 12:02 lou-diamonds

When asterisk unbans them are they removed from ip.blacklist ??

Maybe the default findtime + asterisk is conflicting with the findtime specified in [blacklist] ? :thinking:

Another question, are the IP's being banned onto blacklist originating from asterisk bans ?

mitchellkrogza avatar Feb 24 '19 12:02 mitchellkrogza

@mitchellkrogza , no , just blacklist but i have fixed my problem.

juniorionut avatar Feb 24 '19 18:02 juniorionut

Oh great @juniorionut please post your solution in case any others run into it.

mitchellkrogza avatar Feb 25 '19 07:02 mitchellkrogza

@mitchellkrogza i have wrote above but will write again:

Inside my jail.local i had commented out banaction = blacklist which caused fail2ban to ignore the declarations inside action.d/blacklist.conf

juniorionut avatar Feb 25 '19 07:02 juniorionut