Just had another attempt today which fail2ban did not block. I think now I can trace it to logrotation.
After a logrotation, fail2ban is still active but it seems to stop noticing log entries in the new logs.
I am running centos 6.4 and fail2ban 0.8.8.

I just now updated to 0.8.10. Also I have changed backend from auto to gamin because from
searching about this problem I see there could be issues with python-inotify.

John

On 30/06/13 16:11, Arturo 'Buanzo' Busleiman wrote:

I would write a script that runs fail2ban-client ping and run it from nagios, cron, etc.

Of course, without knowing what went wrong in the first place then the ping command might not suffice.

On Jun 30, 2013 8:43 AM, "John Fawcett" <john.ml@erba.tv> wrote:
Patrick
thanks for your reply, would that only check that fail2ban process is
running or would
it check that fail2ban was still processing the logs.

In the case I saw, the fail2ban process had not died but on the
otherhand it was no
longer picking up the log lines and blocking. I suspect the reason for
this is external
to fail2ban (i.e. a DOS attack on named) but still I did not notice that
fail2ban had
stopped working.

If monit just checks for the process being active, maybe also it would
not have
picked up this case.

I am particularly concerned that people may be using a DOS to immbolize
fail2ban so they
then can have free reign on connection attempts.

John

On 29/06/13 02:04, openroot webservices | Patrick Geschke wrote:
> Hey John,
>
> i use monit for that purpose.
>
> Greetings,
> Patrick
>
> Am 29.06.13 01:45, schrieb John Fawcett:
>> I noticed that I wasn't getting any more email from fail2ban, so either
>> there were no attacks or something was wrong. Looking through the logs I
>> guess it was the second of these, because there were still attacks.
>>
>> Fail2ban may have stopped work around the time I got a DOS on named
>> (which I was not blocking previously) so I wonder if the server got
>> overloaded and fail2ban stopped for this reason.
>>
>> I am now blocking also with the named jail.
>>
>> However I wondered if it might not be possible to get some kind of
>> signal that fail2ban is not working. One way of doing this might be to
>> have fail2ban periodically confirm via email which jails it is still
>> monitoring. That way if I stop getting the periodic mails I can start to
>> look into it.
>>
>> John
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users