Hi List !

i found fail2ban in a not working state when checking my logs:

i put together some log:

first this happend:
2008-12-29 08:16:59,197 fail2ban.actions: WARNING [ssh-iptables] 220.194.201.208 already banned
2008-12-29 08:23:47,623 fail2ban.actions: WARNING [ssh-iptables] Ban 201.234.204.98
2008-12-29 09:00:34,737 fail2ban.actions: WARNING [ssh-iptables] 202.71.106.120 already banned
2008-12-29 09:14:18,622 fail2ban.actions: WARNING [ssh-iptables] 200.254.105.2 already banned
2008-12-29 10:14:00,870 fail2ban.actions: WARNING [ssh-iptables] Unban 61.140.128.198
2008-12-29 10:14:00,904 fail2ban.actions.action: ERROR iptables -D fail2ban-SSH -s 61.140.128.198 -j DROP returned 100
2008-12-29 10:22:21,871 fail2ban.actions: WARNING [ssh-iptables] 81.208.92.170 already banned
2008-12-29 10:25:35,016 fail2ban.actions: WARNING [ssh-iptables] 83.16.46.66 already banned
2008-12-29 11:13:46,151 fail2ban.actions: WARNING [ssh-iptables] 81.208.92.170 already banned

then, later in time:

2008-12-30 15:56:31,786 fail2ban.actions: WARNING [ssh-iptables] Unban 58.26.137.80
2008-12-30 15:56:31,819 fail2ban.actions.action: ERROR iptables -D fail2ban-SSH -s 58.26.137.80 -j DROP returned 100
2008-12-31 01:20:23,300 fail2ban.actions: WARNING [ssh-iptables] Unban 220.118.229.164
2008-12-31 01:20:23,332 fail2ban.actions.action: ERROR iptables -D fail2ban-SSH -s 220.118.229.164 -j DROP returned 100
2008-12-31 01:36:02,938 fail2ban.actions: WARNING [ssh-iptables] Unban 70.91.249.154
2008-12-31 01:36:02,971 fail2ban.actions.action: ERROR iptables -D fail2ban-SSH -s 70.91.249.154 -j DROP returned 100

and then

2009-01-15 00:11:32,623 fail2ban.actions: WARNING [ssh-iptables] Unban 217.219.193.74
2009-01-15 00:11:32,671 fail2ban.jail : INFO Jail 'ssh-iptables' stopped
2009-01-15 00:11:32,673 fail2ban.server : ERROR Unexpected communication error
2009-01-15 00:11:32,675 fail2ban.server : ERROR Unexpected communication error

after restarting fail2ban , everything seems to work normal....


what does returned 100 mean ? .. it seems when this is happening , fail2ban is not blocking new ip's

i guess "already banned" messages happen if someone "burst's" to fast...  is  this  correct ?

and also with this communication error ..... i don't know how to track this ....

... my idea was to play around with nagios to have it reporting when "returned 100" happens .... but i guess some of you might have a better solution ....

thank you very much !

chris