search

mitchellkrogza / Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning

A customised jail with action and filter file for Fail2Ban. This jail is based on the recidive jail but makes use of a simple text file to enable extended and permanent bans.
150 stars 39 forks source link

IPs on ip.blacklist not getting banned #13

Open lou-diamonds opened 5 years ago

lou-diamonds commented 5 years ago

I'm running Fail2Ban v0.9.3

I've followed the script as described in the instructions & for some reason, the IPs on /etc/fail2ban/ip.blacklist are not getting banned.

After reviewing the fail2ban.log, it looks like asterisk is unbanning IPs that are on the ip.blacklist. The asterisk ban time works perfectly, but after their ban time expires, they unban the IP on the ip.blacklist.

Can you tell me how to troubleshoot, why they are not getting unbanned or how to keep them permanently banned?

juniorionut commented 5 years ago

@lou-diamonds having the same issue, i have manually added in the ip.blacklist aprox 600 ip's but they are not banned. The actionstart inside blacklist.conf seems that it's not executed - if we look at the declaration it shoul do a sort of the ip's then ban them, which is does not (as i have intentionally added a duplicated ip on top of the list). If i find the problem will let you know.

juniorionut commented 5 years ago

Forgot to mention that the jail seems to be working , but it ignores the ip.blacklist

2019-02-24 11:02:12,188 fail2ban.actions [27157]: NOTICE [blacklist] Flush ticket(s) with iptables-multiport 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 185.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x 2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x 2019-02-24 11:02:12,199 fail2ban.actions [27157]: NOTICE [blacklist] Unban 5.x.x.x 2019-02-24 11:02:12,442 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x 2019-02-24 11:02:12,480 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x 2019-02-24 11:02:12,504 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 185.x.x.x 2019-02-24 11:02:12,527 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x 2019-02-24 11:02:12,550 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x 2019-02-24 11:02:12,571 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 5.x.x.x

juniorionut commented 5 years ago

@lou-diamonds for the problem that i have described above it is entirely my fault - inside my jail.local i had commented out banaction = blacklist , check if it's the same to you as after i enabled this the ip.blacklist is taken into account

mitchellkrogza commented 5 years ago

Hi @lou-diamonds unfortunately this has never been tested in conjunction with the asterisk filter so I guess they could very well conflict with each other.

@juniorionut are you using this in conjuction with asterisk?

lou-diamonds commented 5 years ago

@juniorionut Unfortunately I don't have banaction = blacklist commented out. So, that's not the issue.

@mitchellkrogza Maybe we can see what the issue is. My jail.local is:

[DEFAULT] bantime = 60 findtime = 600 maxretry = 3 destemail = email@domain.com sendername = Fail2Ban mta = sendmail filter = %(name)s port = 0:65535

Asterisk [asterisk] enabled = true port = 5060,5061 filter = asterisk action = %(banaction)s[name=%(name)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(name)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(name)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 3

[blacklist] enabled = true logpath = /var/log/fail2ban.* filter = blacklist banaction = blacklist bantime = 31536000 ; 1 year findtime = 31536000 ; 1 year maxretry = 2

Then here is my /var/log/fail2ban.log is:

2019-02-24 07:06:31,761 fail2ban.actions [1665]: NOTICE [asterisk] Unban 37... 2019-02-24 07:06:33,190 fail2ban.actions [1665]: NOTICE [asterisk] Unban 5... 2019-02-24 07:06:34,614 fail2ban.actions [1665]: NOTICE [asterisk] Unban 104... 2019-02-24 07:06:34,716 fail2ban.actions [1665]: NOTICE [blacklist] 0... already banned 2019-02-24 07:06:35,718 fail2ban.actions [1665]: NOTICE [blacklist] 185... already banned 2019-02-24 07:06:36,720 fail2ban.actions [1665]: NOTICE [blacklist] 0... already banned

There are plenty of IPs that remain banned but some asterisk will unban them from the blacklist ban & from the asterisk ban. However, if I change the default bantime to 10 days, asterisk will have this behavior every 10 days, instead of every 60 seconds like the example.

Any ideas?

mitchellkrogza commented 5 years ago

When asterisk unbans them are they removed from ip.blacklist ??

Maybe the default findtime + asterisk is conflicting with the findtime specified in [blacklist] ? :thinking:

Another question, are the IP's being banned onto blacklist originating from asterisk bans ?

juniorionut commented 5 years ago

@mitchellkrogza , no , just blacklist but i have fixed my problem.

mitchellkrogza commented 5 years ago

Oh great @juniorionut please post your solution in case any others run into it.

juniorionut commented 5 years ago

@mitchellkrogza i have wrote above but will write again:

Inside my jail.local i had commented out banaction = blacklist which caused fail2ban to ignore the declarations inside action.d/blacklist.conf