Sample Header Ad - 728x90

fail2ban: long recidive bantime ending prematurely

0 votes
0 answers
49 views
fail2ban
I noticed a problem with my fail2ban installation. All my jails have a short bantime, just the "recidive" has a much longer bantime. I'm using nftables. The banned IP addresses are stored in sets. (Originally I thought there was only one set, but this assumption was wrong). This is what I see in the log for a given single IP: 
1. portscan BAN1 for short time
2. portscan UNBAN1 after a while

3. portscan BAN2 for short time
4. portscan UNBAN2 after a while

5. portscan BAN3 for short time
6. recidive BAN for LONG time, because the portscan was activated 3 times
7. portscan UNBAN3 after a while (the IP is no longer banned!!)

8. recidive UNBAN (error logged, IP not found in the set)
- In line 5 is the IP banned in jail "portscan" - In line 6 is the IP banned in jail "recidive" - In line 7 is the IP unbanned in "portscan", but it looks like it is unbanned globally! Real log: 
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [recidive] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [recidive] Unban 78.IP.XX.YY
ERROR   7fe663585fb0 -- exec: nft delete element inet f2b-table addr-set-recidive \{ 78.IP.XX.YY \}
ERROR   7fe663585fb0 -- stderr: 'delete element inet f2b-table addr-set-recidive { 78.IP.XX.YY }'
ERROR   7fe663585fb0 -- exec: nft delete element inet f2b-table addr-set-recidive \{ 78.IP.XX.YY \}
ERROR   7fe663585fb0 -- stderr: 'delete element inet f2b-table addr-set-recidive { 78.IP.XX.YY }'
ERROR   Failed to execute unban jail 'recidive' action 'nftables-allports' info 'ActionInfo({'ip': '78.IP.XX.YY', 'family': 'inet4', 'fid':  at 0x7fe671bb98a0>, 'raw-ticket':  at 0x7fe671bba020>})': Error unbanning 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
Ignoring changes not related to this issue my configuration is basically just: banaction = nftables-multiport banaction_allports = nftables-allports I did not not modify any nftables-xxx actions, i.e. I'm using the standard action definitions. The mentioned jails are defined as follows: 
[portscan]
enabled = true
filter = portscan
backend = systemd
journalmatch = _TRANSPORT=kernel
logpath = %(syslog_daemon)s

[recidive]
enabled = true
bantime = 18h
Where did I make an error and how to fix it?
Asked by VPfB (809 rep)
Jan 14, 2025, 08:53 PM
Last activity: Jan 15, 2025, 11:44 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "fail2ban"
Footer Ad - 728x90