-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why does fail2ban not respond immediately to the need for a ban? #3021
Comments
Yes, it is indeed a timing issue, but not directly related to the speed of reading logs.
Or it is simply all that in sum together and the fewer problems you have at end the faster it will become, and it'd change not linear, so after each solved issue it'd be significantly faster than after previous (it is like a snowball, because every small latency let do the intruder more attempts, which would cause more latencies etc).
Well, ufw is a wrapper over native net-filters (via its backend modules), so indirectly the usage of it for banning is exactly vice-versa what one would do (I don't know any pros of usage of ufw actions, but know many cons).
Try to resolve as many as possible of 4 points mentioned above and probably switch to other banning action using native net-filter i. e. iptables-ipset or nftables depending on your system and kernel.
No it is definitely not normal. Even on most busy systems I never saw more that 3 - 5 attempts after ban, and even that was rather an exception (mostly it is either nothing or rare one or two fails) such as some very "clever" evildoers trying many attempts over multiple connections at once. |
Ok, thank you for the explanation, I'll try your options. |
hi i have the same issue on my server |
A year later, I don't remember what I did exactly. I did every step that sebres listed + separate file for the errors which filter is waiting. It didn't fixed the problem completely and I just stopped worrying about it 🙃 |
I noticed that fail2ban does not immediately respond to the ban, and after the ban, the IP still makes requests. Is this a problem with the speed of reading logs or what?
Here is example log:
within 2 seconds, 20x found, ban, 20x found ...
My filter works here, and it should work after 5 attempts. When less fast requests occur, everything works more or less normally.
I even edited the ufw action because of this problem, so that when this IP is blocked, it kills all connections to it. But somehow it doesn't really work, so the only assumption is that either fail2ban is slow to respond to logs, or the logs themselves are added instantly.
Do you have any recommendations about this, or is this a normal situation?
The text was updated successfully, but these errors were encountered: