fail2ban + iptables "already banned"

Message

Philippe23 · Post by **Philippe23** » Sat Mar 01, 2014 6:32 pm

Hey, I'm looking for suggestions of what I might have misconfigured. I get a fair amount of these from fail2ban:

Feb 28 12:15:01 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 49.48.2.132 already banned
Feb 28 12:50:50 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 113.193.130.89 already banned
Feb 28 18:46:56 localhost fail2ban.actions[4327]: INFO [courier-iptables] 95.163.107.210 already banned

I get them for pretty much all of my jail rules. Here's my jail.local, minus the comments:

[DEFAULT]
ignoreip = 127.0.0.1
bantime = 28800
findtime = 600
maxretry = 10
backend = auto

[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=POSTFIX,port=smtp]
iptables[name=POSTFIX,port=submission]
iptables[name=POSTFIX,port=smtps]
sendmail-geoip[name=POSTFIX,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9

[sasl-iptables]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL,port=smtp]
iptables[name=POSTFIX-SASL,port=submission]
iptables[name=POSTFIX-SASL,port=smtps]
sendmail-geoip[name=POSTFIX-SASL,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9

[courier-iptables]
enabled = true
filter = courierlogin
action = iptables[name=COURIER,port=imap]
iptables[name=COURIER,port=imaps]
iptables[name=COURIER,port=pop3]
iptables[name=COURIER,port=pop3s]
sendmail-geoip[name=COURIER,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9

And my iptables INPUT chain:

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
dolts all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 169.254.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.16.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
...

Anybody see what I'm missing?

666threesixes666 · Post by **666threesixes666** » Sat Mar 01, 2014 6:55 pm

your perception is what is off..... the ip is already banned, and they are attacking more, and fail2ban is trying to ban them again but they are already banned.

Philippe23 · Post by **Philippe23** » Sat Mar 01, 2014 7:19 pm

That sure makes it sound like something is wrong, since they shouldn't be able to try again ... they're banned. It appears the ban is not being very effective for some reason in my setup.

666threesixes666 · Post by **666threesixes666** » Sat Mar 01, 2014 7:45 pm

mmmm this brings up the point that our fail2ban wiki article need sites to provide test attacks..... you fix it, im sick of fixing that thing...

Post by Hu » Sat Mar 01, 2014 8:40 pm

If you suspect something is wrong with your filter rules, then please show them. Use iptables-save -c.

Philippe23 · Post by **Philippe23** » Sun Mar 02, 2014 12:46 am

I think I figured it out. Since I had multiple iptables actions for each rule, but they all had the same name, but different ports. I think that was causing only the first (or last) being created. I switched to iptables-multiport instead. I'm going to see how that goes.

Philippe23 · Post by **Philippe23** » Fri Mar 21, 2014 12:14 pm

Yeah, that seemed to have fixed it. I haven't had an already banned message since I made the change 20+ days ago.

666threesixes666 · Post by **666threesixes666** » Fri Mar 21, 2014 5:56 pm

migrate to sshguard, fail2ban is producing false negatives..... i made a wiki of sshguard

https://wiki.gentoo.org/wiki/Sshguard