Fail2ban not ban a ip, but send out notification

[Offerel]

Environment:

Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from

• Fail2Ban version (including any possible distribution suffixes): 0.10.2-2.1
• OS, including release name/version: Debian 10 Buster
• Fail2Ban installed via OS/distribution mechanisms
• You have not applied any additional foreign patches to the codebase
• Some customizations were done to the configuration (provide details below is so)

The issue:

I use fail2ban, for example with nginx-http-auth.conf to protect Nginx. Sometimes i got a notification via email, that host xy is banned succesfully, because it violates the regex. So far so good. The finding is ok and that host is ok to ban. But when i mak a test, the host isnt banned in reality.

Steps to reproduce

• start fail2ban with nginx-http-auth jail
• use some browser and access a protected site on the nginx server
• enter several time wrong credentials
• mail notification is send to the admin about succesfully ban the client ip
• access the nginx site again
• client isn't banned

Expected behavior

• client is banned at least for the time configured

Any additional information

If i restart fail2ban with systemctl restart fail2ban, the client is banned, so test is completed succesfully and the client cant connect. The above issue seems to be there only sporadically and not all the time. I assume that some thing breaks after several days of running the service.

This a re my first steps with fail2ban, so please forgive me, that i didnt know, which logs you want. If you need something, please give me detailed steps, how i can find the right logfiles. Maybe, its not the fault of fail2ban itself, but i really dont have a idea whats going on.

[sebres]

Which banaction (firewall subsystem) do you use?

If you use firewalld, may be this a duplicate of #1609 (see also #2503 (comment))?

Note that web-clients as well as nginx use keep-alive connection, so be sure your banning action is able to reject already established connections (for example there are no allowing/white-listing rules set in your net-filter for that).

[sebres]

If you need something, please give me detailed steps, how i can find the right logfiles

1. provide your banaction (e. g. dump excerpt fail2ban-client -d | grep 'nginx.*action') and how your net-filter/firewall subsystem is configured (what do you use exactly, which firewalls are running).
2. see the FAQ in our wiki
3. repeat your authentication failures (login attempts) and see in fail2ban.log for some errors. if you have any, try to google for that, try the commands in your shell or provide it here.
4. check your banaction had created the rules in your firewall subsystem (list of the chains, rules in INPUT and fail2ban chains, etc).