Replies: 3 comments 1 reply
-
See #2909 Just why one would need that?
|
Beta Was this translation helpful? Give feedback.
-
The rescan script from the suggested post just exists silently when run with args. As for the why you'd need this, trying to see why the regex tester says it will/does match various offending entries but then fail2ban never bans them in the logs. It would be much nicer if say the regex was missing (just for example) and you tweaked it so it would catch the line being missed to then have f2b rescan and clean up any prior offenders rather than manually going through and banning them by hand rather than waiting for another flood of bogus requests from the offenders. |
Beta Was this translation helpful? Give feedback.
-
Slapdash isn't the point, just saying I tried it. Why as I said is to stop the next flood or more importantly to debug why when I run fail2ban-regex against my rule it matches but then fail2ban never actually acts on it or acts spuratically. It would be nice to be able to make it rescan the logs to see if a rule tweak fixed things or just to hunt down why it's no longer working without having to wait for another bogus request and hope I notice to recheck if it is or isn't catching it. I've seen several posts about this "it worked yesterday, now it won't ban" with various differences presented. I've tried to rule out regex issues, log path issues etc. One bit of progress is that despite the logs being set correctly in the paths-common.conf and paths-debian.conf my mail rules never work unless I pass the absolute log path in jail.local. With debug logging on all I get is a lot of this in my log When a hit that matches when I run the rule with the regex tester is logged...I still just get the above. Not going to let out a sight yet but removing the log wildcards in paths-common.conf seems to have things behaving...for now. |
Beta Was this translation helpful? Give feedback.
-
This might be silly but I've got a few rules that seem to work intermittently. If I test them with fail2ban-regex the matches match but fail2ban seems to ignore said matches some if not most the time. Given the regex says it's catching them is there a way to make f2b double check logs and see if it will catch it a second time through for debugging or when altering a rule to better match.
Possibly unrelated but I also notice banned ip's hitting the logs for other rules. Previously I never saw that as the packets should be dropped / ignored but showing up in the logs makes it seem like f2b says it's banning but isn't. If I check my iptables it does seem like the bans are there but things seem a tad off with Fail2Ban v1.0.1.dev1.
Beta Was this translation helpful? Give feedback.
All reactions