Join Log in
Score:0
dkdlv avatar Server

fail2ban log activity even if IP has been banned anyway

cz flag
dkdlv

I would like to know if there is a way to know if a banned IP is still trying to contact my server and what is he trying to do?

The fail2ban.log seems to show who has been banned, but not if a banned IP is still trying to reach me, am I wrong?

Thanks in advance for any clue to find those details if possible :)

Kindly, Krys

678
2 + 2
user9517 avatar
cn flag
user9517
Doesn't fail2ban update the firewall on the system and that then stops access? As such the system, no longer gets activity from the banned IP so there is no activity to look at beyond the firewall. You could look at the firewall and see if there are any counters related to the banned IP which may tell you that it is still active but noit what it is trying to do.
1
Reply
dkdlv avatar
cz flag
dkdlv
It seems it is the best way to go, but at the moment, I don't find what I need and/or how to do it... –
0
Reply
Score:1
diya avatar Server
la flag
diya

Typically Fail2ban bans specific IP-addresses based on malicious patterns in your application log files. Usually fail2ban blocks the offending IP-address by generating a (temporary) firewall rule and logs only that.

When the offending IP-address has been banned those IP-addresses can't reach your application any more and no more events from those IP-addresses wil be found in the application log files. So from those log files you can't learn if the offending IP-address has backed off, or not and is still banging against the firewall .

You can try to look at the current firewall statistics to see if the latter is happening. Your mileage there may vary:

On a host with banaction = firewallcmd-ipset there is only a rule and single counter for all blocked IP's:

iptables -L -n -v
...
 pkts bytes target     prot opt in     out     source               destination

 6578  392K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable

That makes it impossible to attribute which blocked IP-address(es) in the f2b-sshd ipset are the repeat offenders.

On a host where each blocked IP gets effected by their own rule I see for example:

Chain fail2ban-SSH (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       117.239.37.150       0.0.0.0/0           reject-with icmp-port-unreachable
2        4   412 REJECT     all  --  *      *       117.253.208.237      0.0.0.0/0           reject-with icmp-port-unreachable

There for example the IP-address 117.253.208.237 sent 4 packets that got logged by the firewall after having been blocked and 117.239.37.150 completely backed off.

As the other answer mentioned, you can instruct fail2ban to create a firewall rule that generates log events, which you can then post-process to get similar insights, but that isn't something fail2ban will natively process and report on.

+ 1
dkdlv avatar
cz flag
dkdlv
You are 100% right... I may be able to measure the determination of an intruder, but not what he is trying to do... So not really useful. Thanks for that!
0
Reply
Score:0
Nicola avatar Server
rw flag
Nicola

I think what you are looking for is actions. Fail2ban is able to execute a specific command when banning/unbanning, and it looks like this is what you are looking for. As mentioned in the default config, you should create a file in jail.d to customize the behavior for the service(s) you want to keep logging, i.e. jail.d/customisation.local

+ 3
dkdlv avatar
cz flag
dkdlv
thanks for the answer, but not precisely. The documentation you send me tells me that: The directory action.d contains different scripts defining actions. The actions are executed at well-defined moments during the execution of Fail2ban: when starting/stopping a jail, banning/unbanning a host, etc. for what I understand, it logs the change of a state. What I would like to have is the activity of a banned IP. Maybe, I should look what iptables can tell me
0
Reply
Nicola avatar
rw flag
Nicola
That's why I specifically linked the [rich log](https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-rich-logging.conf) action: if you configure it, according to the docs it should also keep logging the offending IPs: did you try it?
0
Reply
Nicola avatar
rw flag
Nicola
On line 9 I read: "# Also this action logs banned access attempts so you can filter that and increase ban time for offenders."
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.