I can reproduce the problem on another server when I reboot it (sorry that I did not try signal-event logrotate... I don't want to renew all my logs on this server) :
~/# ./checklist_ban
http-overflows 0
http-noscript 0
http-auth 0
pam-generic 0
ssh-ddos 0
http-scan 1
ssh 0
qpsmtpd 0
recidive 0
~/# reboot
And after the reboot :
~/# ./checklist_ban
http-overflows 0
http-noscript 0
http-auth 0
pam-generic 0
ssh-ddos 0
http-scan 0
ssh 0
qpsmtpd 0
recidive 0
~/# config show fail2ban
fail2ban=service
BanTime=260000
FindTime=10800
Mail=enabled
status=enabled
~/# rpm -qa fail2ban smeserver-fail2ban
fail2ban-0.8.14-1.el5
smeserver-fail2ban-0.1.10-1.el5.fws
The banned IP is lost... This explains why I noticed that the same IP is sometimes banned 2 times when the BanTime is not expired...
The log shows that the IP is unbanned during the reboot :
2015-06-18 12:04:05,645 fail2ban.actions[5606]: WARNING [http-scan] Ban 103.39.77.8
2015-06-18 18:57:48,752 fail2ban.server [5606]: INFO Stopping all jails
2015-06-18 18:57:49,678 fail2ban.jail [5606]: INFO Jail 'http-overflows' stopped
2015-06-18 18:57:50,677 fail2ban.jail [5606]: INFO Jail 'http-noscript' stopped
2015-06-18 18:57:50,679 fail2ban.jail [5606]: INFO Jail 'http-auth' stopped
2015-06-18 18:57:51,676 fail2ban.jail [5606]: INFO Jail 'pam-generic' stopped
2015-06-18 18:57:52,674 fail2ban.jail [5606]: INFO Jail 'ssh-ddos' stopped
2015-06-18 18:57:53,080 fail2ban.actions[5606]: WARNING [http-scan] Unban 103.39.77.8
2015-06-18 18:57:56,295 fail2ban.jail [5606]: INFO Jail 'http-scan' stopped
2015-06-18 18:57:56,675 fail2ban.jail [5606]: INFO Jail 'ssh' stopped
2015-06-18 18:57:56,679 fail2ban.jail [5606]: INFO Jail 'qpsmtpd' stopped
2015-06-18 18:57:57,082 fail2ban.jail [5606]: INFO Jail 'recidive' stopped
2015-06-18 19:00:44,741 fail2ban.server [3655]: INFO Changed logging target to /var/log/fail2ban/daemon.log for Fail2ban v0.8.14
2015-06-18 19:00:44,802 fail2ban.jail [3655]: INFO Creating new jail 'http-overflows'
2015-06-18 19:00:47,149 fail2ban.jail [3655]: INFO Jail 'http-overflows' uses pyinotify
2015-06-18 19:00:47,776 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:47,845 fail2ban.filter [3655]: INFO Added logfile = /var/log/httpd/error_log
2015-06-18 19:00:47,850 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:47,859 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:47,861 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:47,926 fail2ban.jail [3655]: INFO Creating new jail 'http-noscript'
2015-06-18 19:00:47,927 fail2ban.jail [3655]: INFO Jail 'http-noscript' uses pyinotify
2015-06-18 19:00:47,929 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:47,934 fail2ban.filter [3655]: INFO Added logfile = /var/log/httpd/error_log
2015-06-18 19:00:47,938 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:47,945 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:47,948 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:48,012 fail2ban.jail [3655]: INFO Creating new jail 'http-auth'
2015-06-18 19:00:48,013 fail2ban.jail [3655]: INFO Jail 'http-auth' uses pyinotify
2015-06-18 19:00:48,016 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:48,020 fail2ban.filter [3655]: INFO Added logfile = /var/log/httpd/error_log
2015-06-18 19:00:48,024 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:48,031 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:48,033 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:48,278 fail2ban.jail [3655]: INFO Creating new jail 'pam-generic'
2015-06-18 19:00:48,279 fail2ban.jail [3655]: INFO Jail 'pam-generic' uses pyinotify
2015-06-18 19:00:48,282 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:48,334 fail2ban.filter [3655]: INFO Added logfile = /var/log/secure
2015-06-18 19:00:48,338 fail2ban.filter [3655]: INFO Set maxRetry = 6
2015-06-18 19:00:48,347 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:48,350 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:48,414 fail2ban.jail [3655]: INFO Creating new jail 'ssh-ddos'
2015-06-18 19:00:48,415 fail2ban.jail [3655]: INFO Jail 'ssh-ddos' uses pyinotify
2015-06-18 19:00:48,417 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:48,422 fail2ban.filter [3655]: INFO Added logfile = /var/log/sshd/current
2015-06-18 19:00:48,427 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:48,437 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:48,439 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:48,498 fail2ban.jail [3655]: INFO Creating new jail 'http-scan'
2015-06-18 19:00:48,499 fail2ban.jail [3655]: INFO Jail 'http-scan' uses pyinotify
2015-06-18 19:00:48,501 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:48,506 fail2ban.filter [3655]: INFO Added logfile = /var/log/httpd/error_log
2015-06-18 19:00:48,510 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:48,519 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:48,522 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:48,629 fail2ban.jail [3655]: INFO Creating new jail 'ssh'
2015-06-18 19:00:48,629 fail2ban.jail [3655]: INFO Jail 'ssh' uses pyinotify
2015-06-18 19:00:48,632 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:48,637 fail2ban.filter [3655]: INFO Added logfile = /var/log/sshd/current
2015-06-18 19:00:48,641 fail2ban.filter [3655]: INFO Set maxRetry = 3
2015-06-18 19:00:48,650 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:48,653 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:49,025 fail2ban.jail [3655]: INFO Creating new jail 'qpsmtpd'
2015-06-18 19:00:49,026 fail2ban.jail [3655]: INFO Jail 'qpsmtpd' uses pyinotify
2015-06-18 19:00:49,029 fail2ban.jail [3655]: INFO Initiated 'pyinotify' backend
2015-06-18 19:00:49,072 fail2ban.filter [3655]: INFO Added logfile = /var/log/qpsmtpd/current
2015-06-18 19:00:49,278 fail2ban.filter [3655]: INFO Added logfile = /var/log/sqpsmtpd/current
2015-06-18 19:00:49,282 fail2ban.filter [3655]: INFO Set maxRetry = 9
2015-06-18 19:00:49,291 fail2ban.filter [3655]: INFO Set findtime = 10800
2015-06-18 19:00:49,294 fail2ban.actions[3655]: INFO Set banTime = 260000
2015-06-18 19:00:49,338 fail2ban.jail [3655]: INFO Creating new jail 'recidive'
2015-06-18 19:00:49,339 fail2ban.jail [3655]: INFO Jail 'recidive' uses poller
2015-06-18 19:00:49,476 fail2ban.jail [3655]: INFO Initiated 'polling' backend
2015-06-18 19:00:49,581 fail2ban.filter [3655]: INFO Added logfile = /var/log/fail2ban/daemon.log
2015-06-18 19:00:49,584 fail2ban.filter [3655]: INFO Set maxRetry = 5
2015-06-18 19:00:49,593 fail2ban.filter [3655]: INFO Set findtime = 86400
2015-06-18 19:00:49,595 fail2ban.actions[3655]: INFO Set banTime = 604800
2015-06-18 19:00:49,657 fail2ban.jail [3655]: INFO Jail 'http-overflows' started
2015-06-18 19:00:49,663 fail2ban.jail [3655]: INFO Jail 'http-noscript' started
2015-06-18 19:00:49,668 fail2ban.jail [3655]: INFO Jail 'http-auth' started
2015-06-18 19:00:49,672 fail2ban.jail [3655]: INFO Jail 'pam-generic' started
2015-06-18 19:00:49,677 fail2ban.jail [3655]: INFO Jail 'ssh-ddos' started
2015-06-18 19:00:49,681 fail2ban.jail [3655]: INFO Jail 'http-scan' started
2015-06-18 19:00:49,687 fail2ban.jail [3655]: INFO Jail 'ssh' started
2015-06-18 19:00:49,692 fail2ban.jail [3655]: INFO Jail 'qpsmtpd' started
2015-06-18 19:00:49,697 fail2ban.jail [3655]: INFO Jail 'recidive' started
18 Replies
7038 Views