You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fail2Ban stops functioning periodically without any evident reason. Graylog alerts us when there are more than 500 error requests, and we've noticed that Fail2Ban doesn't seem to work during these periods. When we access the machine, Fail2Ban appears to be up and running without any errors. However, simply restarting it resolves the issue temporarily.
Steps to reproduce
No ideas
Expected behavior
We expect Fail2Ban to continue functioning without interruption, effectively banning IP addresses that trigger the defined rules.
Observed behavior
Fail2Ban stops banning IP addresses periodically when Graylog alerts us about more than 500 error requests.
Any additional information
This issue occurs periodically and seems to coincide with spikes in error requests. Fail2Ban appears to be running without errors when accessed directly on the machine. However, it stops banning IP addresses during these periods of high error requests. Restarting Fail2Ban resolves the issue temporarily.
Apashh
changed the title
[BR]:
[BR]: Fail2Ban stops functioning periodically without any evident reason
Apr 9, 2024
Apashh
changed the title
[BR]: Fail2Ban stops functioning periodically without any evident reason
[FR]: Fail2Ban stops functioning periodically without any evident reason
Apr 9, 2024
how many jails are affected by the issue (at the time-point where "fail2ban stops to work")?
what does happen in fail2ban.log? does it contain some errors, especially something like Too many errors at once ..., going idle
don't you also see [some-jail-name] Found ... anymore for affected jails? Or it is only bans what stop to work.
if so, can you still ban something manually, for instance:
fail2ban-client set asm-custom-docker banip 192.0.2.111
fail2ban-client unbanip 192.0.2.111
is it always the same time when it stops to work? if yes, can it be the time of log-rotation?
how the log-rotation is done? are the monitored logs exists after log-rotation (recreated empty logs)? what do you see in monitored logs after log-rotation (few first log-lines)? do the affected services recognize the rotation and don't still continue to write in old (rotated) logs?
what is the banning action docker-all (there is no such stock action)?
how many bans are there? how many memory fail2ban is consuming?
can you try it without action = %(action_mw)s... (just comment it out and restart)?
And please don't provide log-excerpts as pictures.
Environment:
The issue:
Fail2Ban stops functioning periodically without any evident reason. Graylog alerts us when there are more than 500 error requests, and we've noticed that Fail2Ban doesn't seem to work during these periods. When we access the machine, Fail2Ban appears to be up and running without any errors. However, simply restarting it resolves the issue temporarily.
Steps to reproduce
No ideas
Expected behavior
We expect Fail2Ban to continue functioning without interruption, effectively banning IP addresses that trigger the defined rules.
Observed behavior
Fail2Ban stops banning IP addresses periodically when Graylog alerts us about more than 500 error requests.
Any additional information
This issue occurs periodically and seems to coincide with spikes in error requests. Fail2Ban appears to be running without errors when accessed directly on the machine. However, it stops banning IP addresses during these periods of high error requests. Restarting Fail2Ban resolves the issue temporarily.
Configuration, dump and another helpful excerpts
Jail.conf :
Any customizations done to /etc/fail2ban/ configuration
No custom just send log to SYSLOG (graylog)
Last LOG :
Thanks for help !
The text was updated successfully, but these errors were encountered: