Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR]: Fail2Ban stops functioning periodically without any evident reason #3716

Open
Apashh opened this issue Apr 9, 2024 · 1 comment
Open

[FR]: Fail2Ban stops functioning periodically without any evident reason #3716

Apashh opened this issue Apr 9, 2024 · 1 comment
Labels
3rd party issue moreinfo

Comments

@Apashh
Copy link

Apashh commented Apr 9, 2024
edited by sebres

Environment:

  • Fail2Ban version: 1.0.2-2
  • OS, including release name/version: Debian 12

The issue:

Fail2Ban stops functioning periodically without any evident reason. Graylog alerts us when there are more than 500 error requests, and we've noticed that Fail2Ban doesn't seem to work during these periods. When we access the machine, Fail2Ban appears to be up and running without any errors. However, simply restarting it resolves the issue temporarily.

Steps to reproduce

No ideas

Expected behavior

We expect Fail2Ban to continue functioning without interruption, effectively banning IP addresses that trigger the defined rules.

Observed behavior

Fail2Ban stops banning IP addresses periodically when Graylog alerts us about more than 500 error requests.

Any additional information

This issue occurs periodically and seems to coincide with spikes in error requests. Fail2Ban appears to be running without errors when accessed directly on the machine. However, it stops banning IP addresses during these periods of high error requests. Restarting Fail2Ban resolves the issue temporarily.

Configuration, dump and another helpful excerpts

Jail.conf :

[DEFAULT]
sendername = Fail2ban
chain = DOCKER-USER
banaction = docker-all
action = %(action_mw)s[from=**emailaddress@domain.com**, password=**pass**,destination=**dest_address@domain.com**, sendername=Fail2Ban]
mta = mail
[sshd]
enabled = true
chain = INPUT
port = ssh,22
bantime = -1
maxretry = 3

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/container-npm/proxy-host-*_error.log
bantime = 86400
maxretry = 3

[nginx-http-auth-redirect]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/container-npm/redirection-host*_error.log
bantime = 86400
maxretry = 3

[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/container-npm/proxy-host-*_access.log
bantime = 86400
maxretry = 2

[nginx-badbots-redirect]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/container-npm/redirection-host*_access.log
bantime = 86400
maxretry = 2

[asm-custom-docker]
enabled = true
port = http,https
filter = asm-custom-docker
logpath = /var/log/container-npm/proxy-host-*_access.log
bantime = 86400
maxretry = 6

[asm-custom-docker-redirect]
enabled = true
port = http,https
filter = asm-custom-docker
logpath = /var/log/container-npm/redirection-host*_access.log
bantime = 86400
maxretry = 6

[nginx-nohome]
enabled = true
port = http,https
filter = nginx-nohome
logpath = /var/log/container-npm/proxy-host-*_access.log
bantime = 86400
maxretry = 2

[nginx-nohome-redirect]
enabled = true
port = http,https
filter = nginx-nohome
logpath = /var/log/container-npm/redirection-host*_access.log
bantime = 86400
maxretry = 2

[httpd-forbidden]
enabled = true
port = http,https
filter = httpd-forbidden
logpath = /var/log/container-npm/proxy-host-*_error.log
bantime = 86400
maxretry = 6

[httpd-forbidden-redirect]
enabled = true
port = http,https
filter = httpd-forbidden
logpath = /var/log/container-npm/redirection-host*_error.log
bantime = 86400
maxretry = 6

Any customizations done to /etc/fail2ban/ configuration

No custom just send log to SYSLOG (graylog)
Last LOG :
image

Thanks for help !
@Apashh Apashh added the bug label Apr 9, 2024
@Apashh Apashh changed the title [BR]: [BR]: Fail2Ban stops functioning periodically without any evident reason Apr 9, 2024
@Apashh Apashh changed the title [BR]: Fail2Ban stops functioning periodically without any evident reason [FR]: Fail2Ban stops functioning periodically without any evident reason Apr 9, 2024
@sebres sebres removed the bug label Apr 9, 2024
@sebres
Copy link
Contributor

sebres commented Apr 9, 2024

  1. how many jails are affected by the issue (at the time-point where "fail2ban stops to work")?
  2. what does happen in fail2ban.log? does it contain some errors, especially something like Too many errors at once ..., going idle
  3. don't you also see [some-jail-name] Found ... anymore for affected jails? Or it is only bans what stop to work.
  4. if so, can you still ban something manually, for instance:
fail2ban-client set asm-custom-docker banip 192.0.2.111
fail2ban-client unbanip 192.0.2.111
  1. is it always the same time when it stops to work? if yes, can it be the time of log-rotation?
  2. how the log-rotation is done? are the monitored logs exists after log-rotation (recreated empty logs)? what do you see in monitored logs after log-rotation (few first log-lines)? do the affected services recognize the rotation and don't still continue to write in old (rotated) logs?
  3. what is the banning action docker-all (there is no such stock action)?
  4. how many bans are there? how many memory fail2ban is consuming?
  5. can you try it without action = %(action_mw)s... (just comment it out and restart)?

And please don't provide log-excerpts as pictures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rd party issue moreinfo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @Apashh