Menu

#95 not showing fail2ban restore

v7.5.5
closed
nobody
None
5
2022-01-01
2021-05-21
Christophe PEREZ
No

Hi,

I don't know if it is a bug or a feature, but I'm not certain it is normal.
When I restart my fail2ban service, of course a lot of IPs are unbaned, then restored.
But, it seems that logwatch only sees (or only shows) unbaned but not restored.

 Banned services with Fail2Ban:                             Bans:Unbans
    multirecidive:                                          [  0:1306]
    postfix:                                                [  6:1779]
    recidive:                                               [  2:1866]
    sshd:                                                   [  0:607]

(I restarted twice here)
However IPs are correctly baned again :

Status for the jail: multirecidive
   |- Currently banned: 653
Status for the jail: postfix
   |- Currently banned: 249
Status for the jail: recidive
   |- Currently banned: 931
Status for the jail: sshd
   |- Currently banned: 303

So logwatch baned IPs count is wrong.

Discussion

  • Bjorn

    Bjorn - 2021-06-06

    New patch in repository: fe60fe. Let me know if it works.

     

    • Christophe PEREZ

      Christophe PEREZ - 2021-08-16

      Sorry. I never received notification about your answer. Just when bug was closed.
      I applied your patch and will see tomorrow.

       

      • Christophe PEREZ

        Christophe PEREZ - 2021-08-18

        Seems to not be ok :
        ~~~Banned services with Fail2Ban: Bans+ReBans:Unbans

        apache-denied: [ 2:3 ]
        multirecidive: [ 3:2266]
        postfix: [ 90:308]
        postfix] Increase: [ 9:0 ]
        recidive: [ 10:728]
        recidive] Increase: [ 1:0 ]
        sshd: [ 0:114]
        ~~~

         

        • Bjorn

          Bjorn - 2021-08-18

          Bug reopened.
          Not clear how it is not ok. Was the above a copy/paste of logwatch output? What numbers were you expecting? Are the "postfix] Increase" and "recidive] Increase" your own notations as to what it should have been?

           

          • Christophe PEREZ

            Christophe PEREZ - 2021-08-19

            Yes, it's a logwatch daily output, after restarting fail2ban.
            The problem is not about the Bans or Rebans, but Unbans.
            Bans/Rebans excludes restored Ban, and it's ok, but not Unbans because of fail2ban restart.
            Also the unbans count the IP unbaned then restored so the number is abnormally high like 2266 here for multirecidive.
            My english is not good enough to explain better, sorry.

             

  • Bjorn

    Bjorn - 2021-08-14
    • status: open --> closed
     

  • Bjorn

    Bjorn - 2021-08-18
    • status: closed --> open
     

  • Bjorn

    Bjorn - 2021-08-19

    OK; I think you are asking to distinguish between bans/unbans due to fail2ban services (jails) stopped and started. Try the attached services script. For the headers, ReBans means Restored Bans (formerly called ReBans in fail2ban, I believe). Flush means unbans due to flushing the jail service due to stopping the jail. Most people will want a low detail setting. The number of lines produced is the same as before, but with the additional "ReBans:Flush" column. Still, it can be a lot of output lines when detail is greater than '0' to '4'.

     
    fail2ban

  • Bjorn

    Bjorn - 2021-10-13

    I've added the previously posted fail2ban file (above) to the repository.

     

  • Bjorn

    Bjorn - 2022-01-01
    • status: open --> closed
     

Log in to post a comment.

MongoDB Logo MongoDB