One week ago, I’ve installed Fail2ban 0.8.4-SVN on Debian squeeze
On my server I’ve seen in kern.log many request like that:
"kernel : [4800038.244020] TCP: Peer 184.108.40.206:51454/8000 unexpectedly
shrunk window 2440475269:2440476909 (repaired)"
I created jail at the end of jail.local like that:
Enabled = true
Filter = shrunk-window
logpath = /var/log/kern.log
port = all
maxretry = 1
Next I created the filter shrunk-window.conf:
failregex = TCP\: Peer <HOST>\:. *unexpectedly shrunk window. *repaired+
Fail2ban detect the Ip address but doesn’t banish it.
I’ve changed the /usr/bin/fail2ban-client file and add a time.sleep(0.1) or
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
As in the fail2ban-client file, in action.py file, I added time.sleep(1):
import *time*, logging, os
Then add time.sleep(1) to execActionStart:
startCmd = Action.replaceTag(self.__actionStart, self.__cInfo)
I’ve tried with jail SSH and it’s the same problem.
I have test the filter with:
Fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
The filter work (it detect fail auth) but doesn’t banish with iptables.
Do you have some solutions? Is that my jail.local and my shrunk-window.conf
I send a fail2ban log file
Thank you in advance.