Fail2Ban -- Something is off

I received the following email from fail2ban

Hi,
The IP 45.143.220.131 has just been banned by Fail2Ban after
46 attempts against SIP on ast.
Regards,
Fail2Ban

My Fail2Ban settings are as follows:

After 2 failed attempts, I want to ban the IP for a month (this logic works for my setup). But this does not match-up with the above email.

Why was the rogue IP not blocked after 2 attempts? How did it get to make 46 attempts??
Also, my " IP’s that are currently banned." list is not growing.

I think I’m missing something here.
Please help.

Thanks

I assume that by the time fail2ban counted 2 and blocked, that attacker already did 46 attempts.

That could be a possibility.

No Fail2Ban emails since 8 hours. Either hackers are enjoying their Sunday or Fail2Ban is doing its job well :wink:

It depends on the 'backend’s available to fail2ban and the rate that the attempts are made at, you will get significant response improvement if you makw pyinotify available on your system.
Also f2b versions >= .9 are also significantly more efficient.

@dicko My current FreePBX distro has fail2ban 0.8.14-76
Since I have a distro install, I will wait for the system to automatically upgrade fail2ban.

On another note, since yesterday, when I last made the config changes, I’m seeing fewer emails from fail2ban & I’m seeing a health growth in banned IP listed on the Intrusion detection page.

I will continue to monitor and update this thread as I discover something new.

Thanks again & stay safe!!

Welll the currently packaged version dates to Aug 19, 2014, 11 is the currently being developed version, but even so pyinotify will still help, if it is in the repos then

yum install python-pyinotify

would likely speed your detection rate without upsetting ‘the distro’.

the fail2ban logs will show what backend is used on startup

@dicko Thanks for sharing the link to DO.

My repo does not have pynotify :frowning:

[root@ast ~]# yum install python-pyinotify
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
No package python-pyinotify available.
Error: Nothing to do
[root@ast ~]#

[root@ast ~]# rpm -qa | grep notify
[root@ast ~]#

I did the following today on my FreePBX distro.

  1. yum install python-pip
  2. pip install --upgrade pip
  3. pip install pyinotify
  4. modify jail.conf & jail.local – changed backend = pyinotify
  5. service fail2ban restart

I’m hoping his will stop events like this: 46 attempts against SIP on ast

I will share my feedback in a few hours/days.

Thanks @dicko

1 Like

Hello everyone,

I’m happy to report that finally I am seeing reduced number of fail2ban emails & most importantly max failed attempts has not cross “2”. Previously it was common for me to get 5-300 failed attempts in the notification email.

Super exited!!

Thanks!!

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.