Home / server / Questions / 804079
Accepted
MrCarrot
Asked: 2016-09-20 12:13:53 +0800 CST

Fail2Ban keeps banning on restart

  • 772

I'm facing a confusing issue with Fail2Ban.

I run an older version which, upon restart of the Fail2Ban Daemon unbans all IP addresses.

I now have Fail2Ban version 0.9.3 installed on Centos 7. When I restart Fail2Ban, it re-bans the previously banned IP addresses. I do not want this to happen, and instead want all bans cleared on restart, which is the way it used to work.

I've set dbfile = None to prevent persistent banning and also set dbpurgeage = 0 just to be safe.

But on restart any banned IP's get banned again.

Here's an excerpt from /var/log/fail2ban.log when a user gets banned via vsftpd:

2016-09-19 20:45:58,671 fail2ban.filter         [23752]: INFO    [vsftpd] Found xx.xx.xx.xx
2016-09-19 21:01:55,665 fail2ban.filter         [23752]: INFO    [vsftpd] Found xx.xx.xx.xx
2016-09-19 21:02:06,679 fail2ban.filter         [23752]: INFO    [vsftpd] Found xx.xx.xx.xx
2016-09-19 21:02:06,936 fail2ban.actions        [23752]: NOTICE  [vsftpd] Ban xx.xx.xx.xx

Then upon restarting Fail2Ban here's the last few lines of the log file:

2016-09-19 21:02:42,719 fail2ban.jail           [24213]: INFO    Jail 'vsftpd' started
2016-09-19 21:02:42,761 fail2ban.filter         [24213]: INFO    [vsftpd] Found xx.xx.xx.xx
2016-09-19 21:02:42,761 fail2ban.filter         [24213]: INFO    [vsftpd] Found xx.xx.xx.xx
2016-09-19 21:02:42,921 fail2ban.actions        [24213]: NOTICE  [vsftpd] Ban xx.xx.xx.xx

It seems to be re-scanning the log files and re-banning a previously banned user.

As I mention, this is not how it used to work in older versions of Fail2Ban - how can I revert to the previous functionality?

linux centos7 fail2ban

1 Answers

  1. Best Answer

    Disabling the use of dbfile means that fail2ban loses track of its read position in each file on restart and so reads the whole file leading to the behaviour you've observed.

    Adding tail after the filenames in the logpath statements will tell fail2ban to start reading from end of file rather than starting at beginning. That should (I think) give the behaviour you want (or near enough). See docs for more detail. Relevant section is ...

    Optional space separated option 'tail' can be added to the end of the path to cause the log file to be read from the end, else default 'head' option reads file from the beginning

    However, I'd agree with the implication of Michael Hampton's comment - the right way to deal with this is to reinstate the use of dbfile and use the unban functionality.

    • 2