Question | Unban after restart

[Keller18306]

Why is the list of bans cleared when restarting and reloading in fail2ban-client? How can I disable this?

[sebres]

Why is the list of bans cleared when restarting and reloading in fail2ban-client?

A restart is like a stop + start, when fail2ban stops it resets everything to leave behind a clean and tidy state (as would be that fail2ban has been not started).
Especially it is important If during restart something action-related is changed (like ports, protocols, or even whole action), so fail2ban will flush (unban) old state and reban with new state (e. g. using other banning actions/parameters).
Also there can be some time between stop and restart, so some banned tickets may be outdated (and will not be banned).

For other needs there is ?sudo? fail2ban-client reload one can use instead of restart - reload does not restart fail2ban process so doesn't unban active tickets, just updates current configuration (e. g. failregex etc).

How can I disable this?

One cannot disable this.
There are several possibilities to workaround this, e. g. one could either write custom action or supply actionflush and norestored to the action, where actionflush does nothing and due to norestored=1, actionban would ignore restored tickets by start, see #3038 for example, so something like this:

banaction = %(known/banaction)s[norestored=1, actionflush=true]

Just note that the banned entries in chains would be no more under control of fail2ban after restart, so they will never be unbanned anymore (so one would need to unban them manually using iptables, ipset, nft whatever.
Although one could write complex actions ignoring duplicates (for IPs left behind by previous fail2ban process), so without norestored and with some extra check, ignoring IPs already available in chains by reban, but...

But I don't understand why it is necessary at all or else by which scenarios it is expected?

[Keller18306]

Yes, most likely I have the same case as that person.

My version is old

How can I upgrade? It's just that I have everything updated in the debian packages.

[sebres]

https://github.com/fail2ban/fail2ban/wiki/How-to-install-or-upgrade-fail2ban-manually

To be sure upgrade to new version don't introduce compat issues (like different paths prefixes or python-versions), ensure to stop and uninstall original version firstly (after you make backup of your custom configs and changes in /etc/fail2ban).

[Keller18306]

[Keller18306]

fail2ban stopped reading error.log

[sebres]

Fail2ban can stop to process jail for 3 reasons:

• there is an unexpected error occurred (basically should be in fail2ban.log)
• unhandled exception in filter thread (normally also logged)
• the jail was set in idle mode (for example from client)

A freeze can be caused in 0.10 by block in sqlite-database (0.11 doing it asynchronously), and it is most of the bottlenecks before 0.11.
Which version do you use now? How large is your database?
You can try the steps described in #2918 (comment) and below.

I don't really have the necessary info to say what is happening there or what may be wrong...

• there are 3 jails, which exactly do you mean?
• are you really sure there are still new messages in log (nginx still logging in the same location)?
  some log-excerpt of both logs would be nice (e. g. tail -f /var/log/fail2ban.log /path/to/nginx/error.log) so one could see few of both messages together;
• was the log-file rotated? (so fail2ban doesn't recognize the rotation)
• which backend has this jail? (pyinotify or polling, I hope it was not changed to systemd, because it's for journal only)

If it's really a freeze, set DEBUG or HEAVYDEBUG levels to jail may help, but it is totally unpractical for huge log-files (because will produce to large log-output).

And last but not least, please stop to post images here (it's inconvenient to track the info and is almost marginal to disrespect)...
Cannot you do simplest copy and paste it in comment using markdown block-format, like this (between ``` and ``` after new-lines)?
```
...
```