Replies: 2 comments 6 replies
-
As for unban by stop - no, there is no such possibility (excepting the command Anyway the functionality for reban of active tickets by restart is intended and cannot be avoided at the moment.
Well, fail2ban has every ban under its own control and there is no direct back relation between actions and banned tickets, so if it gets stopped it must unban every ticket, to be able to ban it hereafter properly (without possible conflicts in some chains of action) as well as to leave safe state (everything made from fail2ban is reversed after stop). Also note that fail2ban cannot predict the reason of the stop:
Theoretically we can provide some option for stop signaling an intention to leave the bans by stop, but to make a proper (re)start hereafter fail2ban need some feedback functionality from banning action (e. g. list of currently banned tokens) or a silent ignore for restore tickets, so the banning action can be reimplemented properly to consider such a restart. But I would prefer to fulfill the bulk ban solution instead. |
Beta Was this translation helpful? Give feedback.
-
@Foxite What is your specific use-case? I have a use-case that seems to have similar, if not identical requirements as you describe. Specifically my use-case is restarting fail2ban after upgrading it. This is such a case where the state after a start should be the same as it was before the stop. I wonder if this is a use-case that fail2ban ought to handle specifically by, perhaps re-execing itself so that it's running the new code, without unbanning and rebanning. This re-execing, I think can even preserve file-descriptors and such so that re-scanning of sources isn't necessary either. Maybe preserving FDs is not something that can be done in Python. I don't know. Why do I care if an upgrade/restart unbans and then re-bans? Because my unban/ban process is much more expensive than a local ipset/ipchains transaction. It involves a remote procedure execution that has high overhead. Ultimately running all of these RPCs to unban and then ban just to recreate the existing state is unnecessary and silly as the state through the restart should be the same. |
Beta Was this translation helpful? Give feedback.
-
Currently, when I stop fail2ban, it removes all bans from the firewall, and reinstates them when the service is started again.
Given the amount of bans I have on my server (as all IPs are permanently banned after a single failure, because I'm the only user and I have no chill), it takes about a minute to restart the service. Additionally, I'm concerned that the speed at which it sends notifications for every reinstated ban (which is done via Discord) might get me in trouble for violating the rate limit.
Is there any way to avoid this behaviour? And what is the reason for it?
Beta Was this translation helpful? Give feedback.
All reactions