Blocking a strange address and how to find all addresses were banned with this error #3257

JcVai · 2022-04-15T16:32:34Z

JcVai
Apr 15, 2022

Hello.
I used f2b 10.6 at OpenBSD 7.0 with pf firewall logs looks like

Apr 14 00:00:39.134245 189.180.57.236.24898 > serverip.445: tcp 0 (DF)
Apr 14 00:00:42.150170 189.180.57.236.24898 > serverip.445: tcp 0 (DF)
Apr 14 00:01:11.569839 192.241.222.114.38137 > serverip.3351: tcp 0
Apr 14 00:02:45.816925 80.87.76.38.55060 > serverip.445: tcp 0
etc

f2b used regex filter <HOST>* and all was fine until some strange addresses started appearing.
for log record

Apr 15 01:50:47.249031 198.235.24.17.59165 > serverip.3389: tcp 0

fail2ban bans host "235.24.17.591" instead "198.235.24.17"!!!

Atm I change regex to <HOST>\..* to avoid such bugs in future but think that there is some problem in f2b code.

Is there a way to identify all problematic addresses to clear them from the lists or is the only solution to completely reset the lists completely?

WBR

Answered by sebres

Apr 16, 2022

fail2ban bans host "235.24.17.591" instead "198.235.24.17"!!!

Your regex was and still is a bit "vulnerable" (because unanchored), so <HOST> found something other as expected (and/or think it is a hostname and can resolve them). Better is to use <ADDR> instead of <HOST> (if it must find IP only) and anchor them.
So you can rewrite it to something like ^\s*<ADDR>.
PoC:

$ fail2ban-regex -v 'Apr 15 01:50:47.249031 192.0.2.123.59165 > 192.0.2.1.3389: tcp 0' '^\s*<ADDR>'

Running tests
=============

Use   failregex line : ^\s*<ADDR>
Use      single line : Apr 15 01:50:47.249031 192.0.2.123.59165 > 192.0.2...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) …

View full answer

sebres · 2022-04-16T11:04:45Z

sebres
Apr 16, 2022
Maintainer

fail2ban bans host "235.24.17.591" instead "198.235.24.17"!!!

Your regex was and still is a bit "vulnerable" (because unanchored), so <HOST> found something other as expected (and/or think it is a hostname and can resolve them). Better is to use <ADDR> instead of <HOST> (if it must find IP only) and anchor them.
So you can rewrite it to something like ^\s*<ADDR>.
PoC:

$ fail2ban-regex -v 'Apr 15 01:50:47.249031 192.0.2.123.59165 > 192.0.2.1.3389: tcp 0' '^\s*<ADDR>'

Running tests
=============

Use   failregex line : ^\s*<ADDR>
Use      single line : Apr 15 01:50:47.249031 192.0.2.123.59165 > 192.0.2...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\s*<ADDR>
|      192.0.2.123  Fri Apr 15 01:50:47 2022
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  ...
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]

Is there a way to identify all problematic addresses to clear them from the list

No, you need to unban all of them, e. g. using ?sudo? fail2ban-client restart --unban "$JAIL" (or if the bantime is not so long simply wait unless they get unbanned).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Blocking a strange address and how to find all addresses were banned with this error #3257

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Blocking a strange address and how to find all addresses were banned with this error #3257

JcVai Apr 15, 2022

Replies: 1 comment

sebres Apr 16, 2022 Maintainer

JcVai
Apr 15, 2022

sebres
Apr 16, 2022
Maintainer