New jail matches but doesn't ban nginx-limit-req.conf #3733
Comments
|
The next day after giving up, its magically started working ?!
My own IP was listed in the fail2ban log as ignored (which is correct) I restarted fail2ban and its not finding anything again, I don't get it ? Do new jails only work on new IP addresses appearing in the log, not ones which are already in there or something ? |
|
I just ran a test and that seems to be the case. It completely ignores my IP address from yesterday even though the "findtime" is now set to 5 days and bantime 10 days.
I don't know if I am misunderstanding something or this is actually a bug in fail2ban ? I would have expected it would have read the past error log contents still, not just new contents after restarting fail2ban ? |
|
I have been throwing many hours at this. Is pretty much conclusive that even if you and ban and remove IP addresses, restart fail2ban, it completely ignores all contents in the log files. From what I can tell it must store where it got up to in the log file in timestamp format somewhere. But restarting does not reset where it got up to in the log file. So basically what this means is, if you had a lot of IPs in your log, and your filter wasn't set up correctly and missed a lot of them. You would ordinarily think that when you update your filter, and restart fail2ban, it would reread the log file from the start. But this does not seem to be the case. It completely ignores everything which is as process previously making it very difficult to save the filters work on past attacks :( Looking back on the Internet people from over 10 years ago also seemed to have run into this problem making it very difficult and confusing to set things up and test. There is a lot of "matches found but doesn't ban IP". While some of them can indeed be config problems, I suspect others are run into the same problem of not reading old log file contents. So I think they really needs to be some way to counteract that "feature" and legitimately force fail2ban to re-read the entire log files upon demand. Looks like such things is already being talked about previously #1682 |
Hope someone can help as this has been driving me nuts for the past few days..
I have some filters like dovecot which works and bans the IP address fine, but I'm trying to set up a ban on limiting requests.
I'm using the default jail nginx-limit-req.conf I have tried various ways of changing that file but to no avail.
In jail.local (only) I have
[nginx-limit-req] port = http,https logpath = /var/log/nginx/*error.log enabled = true filter = nginx-limit-req action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] findtime = 2d bantime = 2d maxretry = 10The IP addresses in the error log 100s of times and the findtime is fine.
action, I do have a global action for things like dovecot, but whether I manually used the action or the global one makes no difference.
If I do this.
sudo fail2ban-client set nginx-limit-req banip 123.123.123.123The IP address appears in the fail2ban log and IPTABLES.
If I do a manual jail run..
`fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-limit-req.conf
Running tests
Use failregex filter file : nginx-limit-req, basedir: /etc/fail2ban
Use log file : /var/log/nginx/error.log
Use encoding : UTF-8
Results
Failregex: 1428 total
|- #) [# of hits] regular expression
| 1) [1428] ^\s*[[a-z]+] \d+#\d+: *\d+ limiting requests, excess: [\d.]+ by zone "(?:[^"]+)", client: ,
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1465] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1465 lines, 0 ignored, 1428 matched, 37 missed
[processed in 0.17 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 37 lines
`
It seems to match 1428 which seems about right.
However they never appear in the fail2ban.log as found.
I am restarting fail2ban after each config changes.
I seem to recall having some odd issues like this before and restarting the server seem to fix it but it was a few years ago now and I cannot remember.
Anyone have any ideas what is going wrong as I am at a loss :(
The text was updated successfully, but these errors were encountered: