Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SOLVED - fail2ban not respecting bantime
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Crymson
Apprentice
Apprentice


Joined: 21 Mar 2004
Posts: 205
Location: New England
PostPosted: Tue Mar 25, 2025 7:34 pm    Post subject: SOLVED - fail2ban not respecting bantime Reply with quote
I setup fail2ban to keep my system safer and block bad actors. I have multiple jails defined in /etc/fail2ban/jail.local and they're working as I can see the effects in /var/log/messages, but it seems to be ignoring the bantime directive. I have bans ranging from 1w to 30d (not in seconds, those terms) which I understand are valid, but every time I see a ban take place in my log, it says "Banning for 86400 seconds" which is 1 day.

I'm not seeing anywhere in the configs that define a general bantime of 1d, and when I run
Code:
fail2ban-client --dp | grep bantime
['set', 'sshd', 'bantime', '30d']
['set', 'apache-auth', 'bantime', '30d']
['set', 'apache-noscript', 'bantime', '30d']
['set', 'apache-overflows', 'bantime', '30d']
['set', 'postfix', 'bantime', '30d']
['set', 'courier-auth', 'bantime', '30d']
['set', 'postfix-sasl', 'bantime', '1w']
['set', 'named-refused', 'bantime', '30d']
['set', 'postfix-flood-attack', 'bantime', '30d']
I see the bantimes that I have specified in jail.local as shown in the block above.

But here's an example from my log file:
Code:
Mar 25 12:34:56 <hostname> sshguard[5430]: Blocking "209.38.233.74/27" for 86400 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)


Does anyone know why this is? I'm trying to prevent a lot of attacks, and would like the bans to be longer than 1d.
_________________
Knowledge is Power // Power Corrupts // Study Hard // Be Evil

Last edited by Crymson on Thu Mar 27, 2025 12:52 am; edited 1 time in total
Back to top
View user's profile Send private message
freke
Veteran
Veteran


Joined: 23 Jan 2003
Posts: 1090
Location: Somewhere in Denmark
PostPosted: Wed Mar 26, 2025 2:23 pm    Post subject: Reply with quote
sshguard != fail2ban

It seems like it's sshguard doing the banning there - not fail2ban.
Back to top
View user's profile Send private message
Crymson
Apprentice
Apprentice


Joined: 21 Mar 2004
Posts: 205
Location: New England
PostPosted: Thu Mar 27, 2025 12:51 am    Post subject: Reply with quote
Yeah you're right. I checked the sshguard conf file and it was indeed set to 86400. I bumped that up too, which will help.

I'll keep an eye on the logs, and see if there are any other abuses that may not be respecting bantime.

Thanks for pointing out my stupidity!
_________________
Knowledge is Power // Power Corrupts // Study Hard // Be Evil
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy