fail2ban doesn't find attacker anymore

Question

The IP 218.92.1.158 is currently attacking my Raspberry.

Until this morning, fail2ban was blocking it correctly. /etc/fail2ban/jail.local :

[DEFAULT]
bantime = 3600
findtime = 3600
maxretry = 5

The only thing I did since then, is adding a cron job that copies the /var/log/auth.log file and empties it:

0   0  *   *   *     bash -c "cp /var/log/auth.log ~/auths/auth$((`ls ~/auths/auth* | sed -n 's/\/root\/auths\/auth\([0-9]*\)/\1/p' | sort -rh | head -n 1`+1))" && echo "" > /var/log/auth.log

This works. Just in case it could have changed the permissions, here they are currently:

-rw-r----- 1 root adm 52569 Dec 22 15:20 /var/log/auth.log

Since then, the attacker doesn't get banned anymore. Here is an extract of /var/log/auth.log:

# cat /var/log/auth.log | grep "Failed" | grep 218.92.1.158
Dec 22 15:22:55 JMPi sshd[29568]: Failed password for root from 218.92.1.158 port 18727 ssh2
Dec 22 15:23:54 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:57 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:23:59 JMPi sshd[29577]: Failed password for root from 218.92.1.158 port 18945 ssh2
Dec 22 15:24:58 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:01 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2
Dec 22 15:25:04 JMPi sshd[29588]: Failed password for root from 218.92.1.158 port 13087 ssh2

This makes 6 tries in the 1-hour time frame.

Looking at /var/log/fail2ban.log:

# cat /var/log/fail2ban.log | grep "218.92.1.158"
2018-12-22 13:38:09,068 fail2ban.filter         [29522]: INFO    [sshd] Found 218.92.1.158
2018-12-22 13:38:09,726 fail2ban.actions        [29522]: NOTICE  [sshd] Ban 218.92.1.158
2018-12-22 13:38:10,730 fail2ban.filter         [29522]: INFO    [sshd] Found 218.92.1.158
2018-12-22 14:38:09,853 fail2ban.actions        [29522]: NOTICE  [sshd] Unban 218.92.1.158

It's been an hour that fail2ban doesn't find the attacker anymore, despite him continuously trying.

I've restarted fail2ban multiple times:

# service fail2ban status
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-12-22 15:32:07 CET; 4s ago
     Docs: man:fail2ban(1)
  Process: 30011 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 30094 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 30098 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─30098 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Dec 22 15:32:03 JMPi systemd[1]: Starting Fail2Ban Service...
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR  No file(s) found for glob /var/log/nginx/*access.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: ERROR  No file(s) found for glob /var/log/lighttpd/error.log
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,610 fail2ban.server         [30096]: INFO    Starting Fail2ban v0.9.6
Dec 22 15:32:04 JMPi fail2ban-client[30094]: 2018-12-22 15:32:04,611 fail2ban.server         [30096]: INFO    Starting in daemon mode
Dec 22 15:32:07 JMPi systemd[1]: Started Fail2Ban Service.

Despite the two file errors (which are not used by my installation anyway), fail2ban does seem to be running.

Unlike Why is fail2ban finding but not banning, the tries definitely are in the time window.

Do you have any idea what could cause that ?

You should use `logrotate` to rotate your system logs, not manual entries in crontab. — Michael Hampton, Dec 22 '18 at 22:15
I changed it to use `logrotate` and now there's no problems anymore... I'm unsure what I did. — CLOVIS, Dec 23 '18 at 10:17

fail2ban doesn't find attacker anymore

0 Answers0