search

mitchellkrogza / Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning

A customised jail with action and filter file for Fail2Ban. This jail is based on the recidive jail but makes use of a simple text file to enable extended and permanent bans.
150 stars 39 forks source link

Blacklist JAIL for Repeat Offenders #2

Closed mahan77 closed 7 years ago

mahan77 commented 7 years ago

Hello,

I’m having problem with repeats offenders. I’m using fail2ban 0.9.6 on Debian 8. flowed this link https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning But iptable are allowing after blacklist IP. I don’t know how to diagnose this problem any advice will be appreciate.

This is just one IP From fail2ban.log

:226: 2017-05-10 20:41:56,473 fail2ban.filter [660]: INFO [asterisk] Found 95.141.35.200 :274: 2017-05-10 20:46:39,665 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :278: 2017-05-10 20:51:26,037 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :279: 2017-05-10 20:56:06,140 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :280: 2017-05-10 20:56:06,797 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :281: 2017-05-10 20:56:06,802 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :293: 2017-05-10 21:06:07,047 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :294: 2017-05-10 21:10:26,835 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :299: 2017-05-10 21:15:08,719 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :308: 2017-05-10 21:19:53,933 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :309: 2017-05-10 21:19:54,535 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :310: 2017-05-10 21:19:54,539 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :323: 2017-05-10 21:29:54,584 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :330: 2017-05-10 21:34:01,234 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :341: 2017-05-10 21:38:45,376 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :346: 2017-05-10 21:43:26,882 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :347: 2017-05-10 21:43:27,051 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :348: 2017-05-10 21:43:27,055 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :349: 2017-05-10 21:43:27,425 fail2ban.actions [1590]: NOTICE [blacklist] Ban 95.141.35.200 :357: 2017-05-10 21:53:27,099 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :359: 2017-05-10 21:57:39,762 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :364: 2017-05-10 22:02:26,486 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :379: 2017-05-10 22:07:09,948 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :380: 2017-05-10 22:07:10,584 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :381: 2017-05-10 22:07:10,587 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :391: 2017-05-10 22:17:10,619 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :396: 2017-05-10 22:21:32,252 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :399: 2017-05-10 22:26:16,130 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :406: 2017-05-10 22:31:06,550 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :407: 2017-05-10 22:31:07,117 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :408: 2017-05-10 22:31:07,121 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :415: 2017-05-10 22:41:07,157 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :428: 2017-05-10 22:45:16,255 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :435: 2017-05-10 22:49:59,264 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :438: 2017-05-10 22:54:39,769 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :439: 2017-05-10 22:54:40,588 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :440: 2017-05-10 22:54:40,593 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :441: 2017-05-10 22:54:41,086 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :461: 2017-05-10 23:04:40,834 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :465: 2017-05-10 23:08:56,267 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :477: 2017-05-10 23:13:38,831 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :485: 2017-05-10 23:18:20,771 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :486: 2017-05-10 23:18:21,305 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :487: 2017-05-10 23:18:21,308 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :511: 2017-05-10 23:28:21,355 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :518: 2017-05-10 23:32:30,408 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :523: 2017-05-10 23:37:18,397 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :527: 2017-05-10 23:42:02,893 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :528: 2017-05-10 23:42:03,626 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :529: 2017-05-10 23:42:03,630 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :538: 2017-05-10 23:52:03,862 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :541: 2017-05-10 23:56:23,004 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :557: 2017-05-11 00:02:22,012 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :566: 2017-05-11 00:10:17,283 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :586: 2017-05-11 00:15:16,818 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :593: 2017-05-11 00:20:07,366 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :594: 2017-05-11 00:20:07,610 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :595: 2017-05-11 00:20:07,614 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :596: 2017-05-11 00:20:08,278 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :602: 2017-05-11 00:30:07,638 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :609: 2017-05-11 00:34:16,129 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :611: 2017-05-11 00:39:06,425 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :623: 2017-05-11 00:43:46,923 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :624: 2017-05-11 00:43:47,076 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :625: 2017-05-11 00:43:47,079 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :636: 2017-05-11 00:53:47,101 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :641: 2017-05-11 00:59:01,587 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :648: 2017-05-11 01:04:06,496 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :651: 2017-05-11 01:09:06,732 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :662: 2017-05-11 01:13:58,104 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :669: 2017-05-11 01:19:04,142 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :670: 2017-05-11 01:19:04,709 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :671: 2017-05-11 01:19:04,712 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :678: 2017-05-11 01:29:04,735 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :682: 2017-05-11 01:33:45,960 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :687: 2017-05-11 01:38:30,066 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :690: 2017-05-11 01:43:09,534 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :691: 2017-05-11 01:43:10,022 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :692: 2017-05-11 01:43:10,026 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :693: 2017-05-11 01:43:10,380 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :704: 2017-05-11 01:53:10,290 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :707: 2017-05-11 01:57:32,331 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :712: 2017-05-11 02:02:17,842 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :719: 2017-05-11 02:06:59,171 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :720: 2017-05-11 02:06:59,770 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :721: 2017-05-11 02:06:59,774 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :726: 2017-05-11 02:16:59,820 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :731: 2017-05-11 02:21:05,402 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :734: 2017-05-11 02:25:45,477 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :737: 2017-05-11 02:30:27,965 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :738: 2017-05-11 02:30:28,251 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :739: 2017-05-11 02:30:28,255 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :750: 2017-05-11 02:40:28,290 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :751: 2017-05-11 02:44:35,868 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :757: 2017-05-11 02:49:35,626 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :764: 2017-05-11 02:54:20,159 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :765: 2017-05-11 02:54:20,766 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :766: 2017-05-11 02:54:20,769 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :767: 2017-05-11 02:54:21,740 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :774: 2017-05-11 03:04:20,790 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :779: 2017-05-11 03:08:28,679 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :789: 2017-05-11 03:13:10,301 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :795: 2017-05-11 03:17:55,999 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :796: 2017-05-11 03:17:56,229 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :797: 2017-05-11 03:17:56,232 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :823: 2017-05-11 03:27:56,244 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :838: 2017-05-11 03:32:11,619 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :843: 2017-05-11 03:37:00,855 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :847: 2017-05-11 03:41:42,698 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :848: 2017-05-11 03:41:42,718 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :849: 2017-05-11 03:41:42,721 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :858: 2017-05-11 03:51:42,983 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :860: 2017-05-11 03:56:07,988 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :864: 2017-05-11 04:00:49,297 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :873: 2017-05-11 04:05:33,522 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :874: 2017-05-11 04:05:34,453 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :875: 2017-05-11 04:05:34,457 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :876: 2017-05-11 04:05:35,043 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :880: 2017-05-11 04:15:34,501 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :885: 2017-05-11 04:19:39,824 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :903: 2017-05-11 04:24:22,187 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :905: 2017-05-11 04:29:05,431 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :906: 2017-05-11 04:29:05,961 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :907: 2017-05-11 04:29:05,965 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :924: 2017-05-11 04:39:06,605 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :927: 2017-05-11 04:43:13,709 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :933: 2017-05-11 04:47:57,274 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :940: 2017-05-11 04:52:42,933 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :941: 2017-05-11 04:52:43,293 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :942: 2017-05-11 04:52:43,296 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :950: 2017-05-11 05:02:43,337 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :966: 2017-05-11 05:06:55,354 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :978: 2017-05-11 05:11:39,330 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :983: 2017-05-11 05:16:24,645 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :984: 2017-05-11 05:16:24,812 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :985: 2017-05-11 05:16:24,816 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :986: 2017-05-11 05:16:25,361 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :1006: 2017-05-11 05:26:24,844 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1008: 2017-05-11 05:30:35,724 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1014: 2017-05-11 05:35:27,067 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1022: 2017-05-11 05:40:14,507 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1023: 2017-05-11 05:40:15,307 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1024: 2017-05-11 05:40:15,311 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1030: 2017-05-11 05:50:15,341 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1035: 2017-05-11 05:54:37,603 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1038: 2017-05-11 05:59:22,218 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1042: 2017-05-11 06:04:04,460 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1043: 2017-05-11 06:04:04,819 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1044: 2017-05-11 06:04:04,823 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1054: 2017-05-11 06:14:04,839 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1058: 2017-05-11 06:18:20,420 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1066: 2017-05-11 06:23:05,279 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1076: 2017-05-11 06:27:49,850 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1077: 2017-05-11 06:27:50,313 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1078: 2017-05-11 06:27:50,317 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1079: 2017-05-11 06:27:50,713 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :1106: 2017-05-11 06:37:50,568 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1109: 2017-05-11 06:42:08,040 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1123: 2017-05-11 06:46:49,694 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1138: 2017-05-11 06:51:32,175 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1139: 2017-05-11 06:51:32,809 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1140: 2017-05-11 06:51:32,813 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1186: 2017-05-11 07:01:32,838 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1193: 2017-05-11 07:05:40,292 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1203: 2017-05-11 07:10:21,348 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1216: 2017-05-11 07:15:10,147 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1217: 2017-05-11 07:15:10,276 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1218: 2017-05-11 07:15:10,279 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1230: 2017-05-11 07:25:10,524 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1231: 2017-05-11 07:29:19,711 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1237: 2017-05-11 07:34:12,721 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1244: 2017-05-11 07:38:55,952 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1245: 2017-05-11 07:38:55,996 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1246: 2017-05-11 07:38:55,999 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1247: 2017-05-11 07:38:56,579 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :1253: 2017-05-11 07:48:56,033 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1258: 2017-05-11 07:53:06,829 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1265: 2017-05-11 07:57:47,579 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1267: 2017-05-11 08:02:28,374 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1268: 2017-05-11 08:02:29,278 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1269: 2017-05-11 08:02:29,282 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1279: 2017-05-11 08:12:29,532 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1280: 2017-05-11 08:16:36,899 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1284: 2017-05-11 08:21:24,903 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1290: 2017-05-11 08:26:10,291 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1291: 2017-05-11 08:26:11,007 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1292: 2017-05-11 08:26:11,011 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1298: 2017-05-11 08:36:11,055 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1305: 2017-05-11 08:40:21,920 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1307: 2017-05-11 08:45:09,530 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1310: 2017-05-11 08:49:53,938 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1311: 2017-05-11 08:49:54,539 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1312: 2017-05-11 08:49:54,542 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1313: 2017-05-11 08:49:54,937 fail2ban.actions [1590]: NOTICE [blacklist] 95.141.35.200 already banned :1324: 2017-05-11 08:59:54,576 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1326: 2017-05-11 09:04:10,387 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1331: 2017-05-11 09:08:53,483 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1336: 2017-05-11 09:13:37,176 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1337: 2017-05-11 09:13:38,056 fail2ban.actions [1590]: NOTICE [asterisk] Ban 95.141.35.200 :1338: 2017-05-11 09:13:38,060 fail2ban.filter [1590]: INFO [blacklist] Found 95.141.35.200 :1354: 2017-05-11 09:23:38,096 fail2ban.actions [1590]: NOTICE [asterisk] Unban 95.141.35.200 :1361: 2017-05-11 09:27:45,638 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200 :1365: 2017-05-11 09:32:28,673 fail2ban.filter [1590]: INFO [asterisk] Found 95.141.35.200

Regards Sathees

mitchellkrogza commented 7 years ago

Please export your iptables rules and post them here for me.

sudo iptables-save > /home/yourusername/myiptables.txt

then post that output of myiptables.txt here for me (replace "yourusername" in the above with your real username.

mahan77 commented 7 years ago

Hi, Thanks for reply

Generated by iptables-save v1.4.21 on Thu May 11 11:02:48 2017

*filter :INPUT ACCEPT [94:6808] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [49:5324] :f2b-ASTERISK - [0:0] :f2b-blacklist - [0:0] :f2b-sshd - [0:0] -A INPUT -p tcp -j f2b-blacklist -A INPUT -j f2b-ASTERISK -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 15 --hitcount 2 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP -A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name PJSIP --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 --rttl --name PJSIP --mask 255.255.255.255 --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 15 --hitcount 2 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP -A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name PJSIP --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 --rttl --name PJSIP --mask 255.255.255.255 --rsource -j DROP -A f2b-ASTERISK -s 89.163.144.226/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-ASTERISK -s 95.141.35.200/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-ASTERISK -j RETURN -A f2b-blacklist -s 116.31.116.44/32 -j DROP -A f2b-blacklist -s 218.65.30.251/32 -j DROP -A f2b-blacklist -s 95.141.35.200/32 -j DROP -A f2b-blacklist -s 89.163.144.226/32 -j DROP -A f2b-blacklist -s 201.249.185.141/32 -j DROP -A f2b-blacklist -j RETURN -A f2b-sshd -j RETURN COMMIT

Completed on Thu May 11 11:02:48 2017

mitchellkrogza commented 7 years ago

That is strange because it's banning them, -A f2b-blacklist -s 95.141.35.200/32 -j DROP ..... so the IP 95.141.35.200 is blacklisted so can you show me a log where they are still being allowed through ???

mahan77 commented 7 years ago

sorry which log

mitchellkrogza commented 7 years ago

any log which can show that they are still getting through ... try tail -f /var/log/kern.log it will show there what iptables is doing, if it's dropping them or still letting them through

mitchellkrogza commented 7 years ago

@mahan77 I've updated the action.d script. Pull the latest version which adds logging to the ban action. Then you can monitor your kern.log using tail -f /var/log/kern.log

to get the latest version

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/action.d/blacklist.conf -O /etc/fail2ban/action.d/blacklist.conf

and then

sudo service fail2ban restart

then monitor your kernel log with tail -f /var/log/kern.log and you will see messages being logged with "iptables[F2B-blacklist]:"

mitchellkrogza commented 7 years ago

If you don't want to sit and watch the live logs with tail, let it run overnight and then in the morning simply run

grep 'blacklist' /var/log/kern.log and it will show you any output from kern.log containing the blacklist ban

mahan77 commented 7 years ago

Thank you very much. I will get back to you tomorrow with the log file. Really appreciate for your time.

Regards Sathees

mahan77 commented 7 years ago

hi Just manage to get the log May 11 14:09:57 sip kernel: [ 399.200669] IN=eth0 OUT= MAC=00:50:56:2d:fc:db:00:50:56:8e:0c:fc:08:00 SRC=95.141.35.200 DST=77.IP.IP.IP LEN=779 TOS=0x00 PREC=0x00 TTL=115 ID=17968 PROTO=UDP SPT=5070 DPT=5060 LEN=759

May 11 14:09:57 sip kernel: [ 399.201974] IN= OUT=eth0 SRC=77.IP.IP.IP DST=95.141.35.200 LEN=590 TOS=0x00 PREC=0x00 TTL=64 ID=35976 DF PROTO=UDP SPT=5060 DPT=5070 LEN=570

mahan77 commented 7 years ago

Hi

I think only problem with chain f2b-ASTERISK. Its look like chain f2b-sshd ok.

I’m posting all conf file

================== /etc/fail2ban/Jail.conf

[asterisk]

enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] logpath = /var/log/asterisk/messages maxretry = 3 bantime = 600

========================= /etc/fail2ban/filter.d/asterisk.conf

INCLUDES] [Definition] failregex = SECURITY. SecurityEvent="FailedACL".RemoteAddress=".+?/.+?//.+?". SECURITY. SecurityEvent="InvalidAccountID".RemoteAddress=".+?/.+?//.+?".

SECURITY. SecurityEvent="ChallengeResponseFailed".RemoteAddress=".+?/.+?//.+?".*

        SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
        NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) - No matching endpoint found

ignoreregex =

===================== And asterisk Security Log

:8: [2017-05-11 14:05:14] SECURITY[1479] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2017-05-11T14:05:14.923+0100",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="1000",SessionID="b3feca05b56e3572f246c48285af96b1",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5070" :9: [2017-05-11 14:05:14] SECURITY[1479] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-05-11T14:05:14.923+0100",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="",SessionID="b3feca05b56e3572f246c48285af96b1",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5070",Challenge="" :16: [2017-05-11 14:09:57] SECURITY[1479] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2017-05-11T14:09:57.700+0100",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="1000",SessionID="f1294d4e56702f5228e8ac5b1d959305",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5070" :17: [2017-05-11 14:09:57] SECURITY[1479] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-05-11T14:09:57.700+0100",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="",SessionID="f1294d4e56702f5228e8ac5b1d959305",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5070",Challenge="" :20: [2017-05-11 14:14:37] SECURITY[1479] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2017-05-11T14:14:37.844+0100",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="1000",SessionID="8d7789299301eb9eb9c90d616e800710",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5074" :21: [2017-05-11 14:14:37] SECURITY[1479] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-05-11T14:14:37.845+0100",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="",SessionID="8d7789299301eb9eb9c90d616e800710",LocalAddress="IPV4/UDP/77.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/95.141.35.200/5074",Challenge=""

mitchellkrogza commented 7 years ago

Seems to me your iptables and fail2ban are working just fine. you are seeing the messages in kern.log which means iptable is blocking them, look at section of message IN=eth0 OUT= ... ip tries to connect but is dropped because it is blocked in iptables.

May 11 14:09:57 sip kernel: [ 399.200669] IN=eth0 OUT= MAC=00:50:56:2d:fc:db:00:50:56:8e:0c:fc:08:00 SRC=95.141.35.200 DST=77.IP.IP.IP LEN=779 TOS=0x00 PREC=0x00 TTL=115 ID=17968 PROTO=UDP SPT=5070 DPT=5060 LEN=759

mitchellkrogza commented 7 years ago

Also now that it has been running for a few hours, try this today grep 'blacklist' /var/log/kern.log

mahan77 commented 7 years ago

Hi there is no log for “grep 'blacklist' /var/log/kern.log” so I did “grep '95.141.35.200' /var/log/kern.log”

May 11 19:41:32 sip kernel: [20309.739274] IN=eth0 OUT= MAC=00:50:56:2d:fc:db:00:50:56:8e:0c:fc:08:00 SRC=95.141.35.200 DST=77.XX.XX.XX LEN=774 TOS=0x00 PREC=0x00 TTL=115 ID=12606 PROTO=UDP SPT=5070 DPT=5060 LEN=754

May 11 19:41:32 sip kernel: [20309.741158] IN= OUT=eth0 SRC=77.XX.XX.XX DST=95.141.35.200 LEN=586 TOS=0x00 PREC=0x00 TTL=64 ID=24198 DF PROTO=UDP SPT=5060 DPT=5070 LEN=566

May 11 19:46:12 sip kernel: [20589.739755] IN=eth0 OUT= MAC=00:50:56:2d:fc:db:00:50:56:8e:0c:fc:08:00 SRC=95.141.35.200 DST=77.XX.XX.XX LEN=773 TOS=0x00 PREC=0x00 TTL=115 ID=21633 PROTO=UDP SPT=5070 DPT=5060 LEN=753

May 11 19:46:12 sip kernel: [20589.746041] IN= OUT=eth0 SRC=77.XX.XX.XX DST=95.141.35.200 LEN=586 TOS=0x00 PREC=0x00 TTL=64 ID=11773 DF PROTO=UDP SPT=5060 DPT=5070 LEN=566

May 11 19:51:02 sip kernel: [20880.566276] IN=eth0 OUT= MAC=00:50:56:2d:fc:db:00:50:56:8e:0c:fc:08:00 SRC=95.141.35.200 DST=77.XX.XX.XX LEN=768 TOS=0x00 PREC=0x00 TTL=115 ID=30674 PROTO=UDP SPT=5070 DPT=5060 LEN=748

May 11 19:51:02 sip kernel: [20880.567773] IN= OUT=eth0 SRC=77.XX.XX.XX DST=95.141.35.200 LEN=582 TOS=0x00 PREC=0x00 TTL=64 ID=5106 DF PROTO=UDP SPT=5060 DPT=5070 LEN=562

mitchellkrogza commented 7 years ago

That shows your iptables is working and blocking 95.141.35.200

Remember just because it is set to DROP in iptables does not mean the IP address will stop trying to connect, it just means iptables drops and ignores the IP. This is correct and expected behaviour

mitchellkrogza commented 7 years ago

The only way you can stop seeing that IP trying to connect to your server is to have another physical firewall sitting a level above your server.

mahan77 commented 7 years ago

Hi I already running fail2ban on deferent system its working as normal. The reason I want to try your scripts so I can block repeat offenders for ever. Normally if fail2ban block any IP you can’t access at all that’s my expedience on other system.

I done some test last night, I blacklist my IP then I try to connect SSH it wouldn’t connect but if I try asterisk it will connect. The behaviour is very strange.

Regards Sathees

mitchellkrogza commented 7 years ago

Then why use Asterisk at all ?? I don't and never have.

Use only the jails ssh, ssh-ddos and my blacklist (any other's like nginx and apache) and you will have a system like mine that does permanent blacklisting

Have you checked the contents of the ip.blacklist file to see that it is blacklisting them ???

cat /etc/failban/ip.blacklist.

mahan77 commented 7 years ago

When it’s come to SSH I will able to control via known IP. The problem I have, asterisk PBX running in cloud server (Public IP). Some of my clients don’t have static IP so I have to find a way to control brute force attack that’s why I’m looking in to this. I have managed to slow down brute force attack 2 attempt every 10 second.
I really appreciate your time. I will do some research. thank you

mitchellkrogza commented 7 years ago

you need a better iptables structure to deal with bruteforce, your iptables rules are quite basic, will post an example of my iptables for you

From: mahan77 notifications@github.com notifications@github.com Reply: mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning reply@reply.github.com reply@reply.github.com Date: 12 May 2017 at 11:09:33 AM To: mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning fail2ban-blacklist-jail-for-repeat-offenders-with-perma-extended-banning@noreply.github.com fail2ban-blacklist-jail-for-repeat-offenders-with-perma-extended-banning@noreply.github.com Cc: Mitchell Krog mitchellkrog@gmail.com mitchellkrog@gmail.com, State change state_change@noreply.github.com state_change@noreply.github.com Subject: Re: [mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning] Blacklist JAIL for Repeat Offenders (#2)

When it’s come to SSH I will able to control via known IP. The problem I have, asterisk PBX running in cloud server (Public IP). Some of my clients don’t have static IP so I have to find a way to control brute force attack that’s why I’m looking in to this. I have managed to slow down brute force attack 2 attempt every 10 second. I really appreciate your time. I will do some research. thank you

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/issues/2#issuecomment-301025491, or mute the thread https://github.com/notifications/unsubscribe-auth/AJgARZ_FngTQKyzScSLENelvY0MYIO3Uks5r5CHNgaJpZM4NXu93 .

mitchellkrogza commented 7 years ago

Here's an iptables ruleset I use for a webserver it deals very well with bruteforce attacks and icmo flooding. This is the rules that iptables must load after reboot, fail2ban then adds it's filters after this loads.

This is just an example

# Generated by iptables-save v1.6.0 on Fri Apr 14 13:51:00 2017
*filter
:INPUT DROP [2:472]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1747:1663928]
:ICMPFLOOD - [0:0]
:SSHBRUTE - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j LOG --log-prefix "[ FW - PORTSCAN - SQL: ]"
-A INPUT -p tcp -m tcp --dport 3306 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,53,80,443,7890,10000 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j SSHBRUTE
-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -j DROP
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
-A INPUT -p udp -m udp --dport 1900 -j DROP
-A INPUT -p udp -m udp --sport 53 -j DROP
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
-A ICMPFLOOD -m recent --set --name ICMP --mask 255.255.255.255 --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --mask 255.255.255.255 --rsource -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --mask 255.255.255.255 --rsource -j DROP
-A ICMPFLOOD -j ACCEPT
-A SSHBRUTE -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A SSHBRUTE -m recent --update --seconds 300 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
-A SSHBRUTE -m recent --update --seconds 300 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j DROP
-A SSHBRUTE -j ACCEPT
COMMIT
# Completed on Fri Apr 14 13:51:00 2017
mahan77 commented 7 years ago

thank you

mahan77 commented 7 years ago

Hello again. Managed to sort the problem out. All it was “protocol = tcp” to “protocol = all” in jail.conf. because asterisk PBX use UDP. now everything working fine Thanks for your time and effort.

mitchellkrogza commented 7 years ago

Great @mahan77 glad you got it sorted. always the smallest setting we miss 😄

mahan77 commented 7 years ago

Hello again sorry to trouble you, I’m getting error when I restart fail2ban. I can see this error only in blacklist can you help me please I’m using fail2ban 0.9.7

iptables -w -A f2b-blacklist -j RETURN iptables -w -I INPUT -p all -j f2b-blacklist sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b-blacklist 1 -s $IP -j DROP LOG --log-prefix "iptables[F2B-blacklist]: "; done -- stdout: b'' 2017-05-21 16:07:39,902 fail2ban.action [2740]: ERROR iptables -w -N f2b-blacklist iptables -w -A f2b-blacklist -j RETURN iptables -w -I INPUT -p all -j f2b-blacklist sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b-blacklist 1 -s $IP -j DROP LOG --log-prefix "iptables[F2B-blacklist]: "; done -- stderr: b"Bad argument LOG'\nTryiptables -h' or 'iptables --help' for more information.\n" 2017-05-21 16:07:39,902 fail2ban.action [2740]: ERROR iptables -w -N f2b-blacklist iptables -w -A f2b-blacklist -j RETURN iptables -w -I INPUT -p all -j f2b-blacklist sort -u /etc/fail2ban/ip.blacklist -o /etc/fail2ban/ip.blacklist cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I f2b-blacklist 1 -s $IP -j DROP LOG --log-prefix "iptables[F2B-blacklist]: "; done -- returned 2 2017-05-21 16:07:39,902 fail2ban.actions [2740]: ERROR Failed to start jail 'blacklist' action 'blacklist': Error starting action

mitchellkrogza commented 7 years ago

@mahan77 it does not like the log message part I added. I removed that so get the latest version

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/action.d/blacklist.conf -O /etc/fail2ban/action.d/blacklist.conf

and then

sudo service fail2ban restart

mahan77 commented 7 years ago

Thank you Look like every think ok