New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
abuseipdb: fail2ban error banning ip #2468
Comments
Your excerpt of log is unfulfilled - it is cut out from begin, where the reason (error why it is failed) hopefully logged too. Please proved the line(s) before. |
The system is MacOS Mojave.
<--/ end 2019-07-09 -->
Obs: I also do not understand why this log is popping out. The server has a proper reverse DNS of localhost. |
So your action is No idea why exactly it does not accepted by abuseipdb, but the request returns 422. The shorter log-excerpt:
So fail2ban is trying to execute this (you can check it in the shell): f2bV_matches=...
lgm=$(printf '%s\n...' "$f2bV_matches"); curl --fail --tlsv1.1 --data "key=" --data-urlencode "comment=$lgm" --data "ip=111.56.186.2" --data "category=<abuseipdb_category>" "https://www.abuseipdb.com/report/json" I assume:
|
Hmm... is it by start only? I guess you have What do you get here as result? fail2ban-python -c 'import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.DEBUG); from fail2ban.server.ipdns import DNSUtils as du; print(du.getSelfIPs()); print(du.getSelfNames())' |
|
Maybe I should specify another action than abuseip. There are many others to chose! I am wondering which one will be most effective. ***By the way it was no error coming out of the system.log in regards to fail2ban or abuseip. The only mention was on mac-analytics in relation to fail2ban-python but it is not an error but just an activity connection. Here is the configuration of the non-script jail, [apache-noscript]
port = http,https
logpath = /var/log/apache2/error_log
enabled = true
action = pf[name=apache-noscript, port=80, protocol=tcp]
abuseipdb[name=apache-noscript, port=80, protocol=tcp]
maxretry = 5
bantime = 31536000
filter = apache-noscript |
It looks like no hostname (fqdn) is set for this host, so for some reasons it gets Either you should fix that, or you ignore this warning (if your see all your IPs/hostnames), or simple switch to old ignoreself = false
ignoreip = 127.0.0.1/8 ::1
Well your ban-action is pf, but for some reasons it does not work (or has a large latency)...
I cannot help you here, because neither familiar with MacOS, nor I have basically any interest for products of Apple. |
Thanks for answering to my questions! I will just ignore the fqdn. My domain name is a fqdn. However the server is ran by a private home ATT connection on a static ip address. As I personally configured the network, I do understand the limitations from doing it. ATT will only reverse your fqdn to an ip if you pay more ... too much that I was not willing to expend just to prove myself I can build a server on my own knowledge and serve some of my domains. Therefore, the limitations does not come from my configuration but from their policies. Saying that, I am willing to accept the limitations. |
...and thanks, I will configure the jail to block the 443/https port. I just have to repeat the same config procedure and include the new port. |
Hmm... don't think so. Our pf is a multiport action, so just try: action = pf[port="80 443", ...]
# or (if you have some older pf-action):
action = pf[port="{80 443}", ...] Note the But normally it would be enough to specify something like this instead of overwrite default [apache-noscript]
port = 80 443
banaction = pf[actiontype=<multiport>] |
I tried to mimic the instructions above on the action to insert both ports but it did not accepted the syntax. However it accepted on port= 80 443. [apache-noscript]
port = 80 443
logpath = /var/log/apache2/error_log
logpath = /var/log/apache2/access_log
enabled = true
action = pf[name=apache-noscript, protocol=tcp]
abuseipdb[name=apache-noscript, protocol=tcp]
hostsdeny[name=apache-noscript, protocol=tcp]
badips[name=apache-noscript, protocol=tcp]
bantime = 31536000
filter = apache-noscript
findtime = 18144000 |
What do you mean exactly?
Variable Line 174 in b288ccd
Note the _ in action_ ... this option is then used as default interpolations in config and indirectly affect action .But you overwrite the action completely in your config, so it would not work for you.
As already said above, either you should specify ports in So either: action = pf[port="80 443", name=apache-noscript, protocol=tcp] or: port = 80 443
banaction = pf Still again, if you overwrite Another variant is to use all-ports operational mode of pf-action, if you'd accept the banned IP cannot reach ALL services (so if your remote IP would be mistakenly banned, you cannot unban yourself from this IP, because sshd-port is not available too). banaction = pf[actiontype="<allports>"] |
BTW. did you followed the instructions from pf-config? fail2ban/config/action.d/pf.conf Lines 16 to 27 in d01fe9d
Additionally note that you can see all the values interpolated by start using: fail2ban-client -d
# or
fail2ban-client -d | grep pfctl So you'd be able to control your config values are correct. And try to google whether pf is really correct banaction on your system (may be some other firewalls or packet filter systems which already have fail2ban actions are available on your system). |
fail2ban error banning ip...
Logs:
fail2ban logs:
The text was updated successfully, but these errors were encountered: