Fail2Ban problem

Discussion in 'Installation/Configuration' started by marcfest, Jul 10, 2014.

  1. marcfest

    marcfest New Member

    Hi there,

    I'm having a weird problem with Fail2Ban on Ubunutu. I'm using the configurations shown below to catch Wordpress post flood attacks.

    Now, the strange thing is, when it catches an attacker, rather than banning the attacker's IP, the Fail2Ban log shows the warning message below. But the IP in that warning message is not the current attacker's IP, but an IP that is already listed as banned in IPTables under a different, ssh-related configuration rule (see output below).

    So it seems that for some reason a new IP that should be banned is not being banned because it triggers an "already banned" warning, but that warning does not quote the new IP, but a different one already previously banned.

    Any idea what might be going on?

    Thank you.

    Marc.

    Warning message:

    2014-07-10 07:42:45,789 fail2ban.actions: WARNING [apache-postflood] 192.155.92.228 already banned

    jail.local:

    [apache-postflood]

    enabled = true
    findtime = 10
    port = http,https
    filter = apache-postflood
    logpath = /var/log/apache2/other_vhosts_access.log
    maxretry = 3

    apache-postflood.conf:

    cat apache-postflood.conf
    # Fail2Ban configuration file
    #
    # Author: Yaroslav O. Halchenko <[email protected]>
    #
    # $Revision: 716 $
    #

    [Definition]

    # Option: failregex
    # Notes.: regex to match failures to find a home directory on a server, which
    # became popular last days. Most often attacker just uses IP instead of
    # domain name -- so expect to see them in generic error.log if you have
    # per-domain log files.
    # Values: TEXT
    #
    failregex = <HOST>.*] "POST /wp-login.php.*
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    # ignoreregex =

    # iptables -L INPUT -v -n
    Chain INPUT (policy ACCEPT 19M packets, 3842M bytes)
    pkts bytes target prot opt in out source destination
    248K 21M fail2ban-apache-postflood tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
    1821 143K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
    317 18964 DROP all -- * * 192.232.205.200 0.0.0.0/0
    221 13188 DROP all -- * * 209.235.124.0 0.0.0.0/0
    318 19024 DROP all -- * * 37.187.140.59 0.0.0.0/0
     
    marcfest, Jul 10, 2014
    #1
  2. srijan

    srijan New Member HowtoForge Supporter

    Hi

    Please see the solution in the link
     
    srijan, Jul 11, 2014
    #2

Share This Page