IPs on ip.blacklist not getting banned

[lou-diamonds]

I'm running Fail2Ban v0.9.3

I've followed the script as described in the instructions & for some reason, the IPs on /etc/fail2ban/ip.blacklist are not getting banned.

After reviewing the fail2ban.log, it looks like asterisk is unbanning IPs that are on the ip.blacklist. The asterisk ban time works perfectly, but after their ban time expires, they unban the IP on the ip.blacklist.

Can you tell me how to troubleshoot, why they are not getting unbanned or how to keep them permanently banned?

[juniorionut]

@lou-diamonds having the same issue, i have manually added in the ip.blacklist aprox 600 ip's but they are not banned.
The actionstart inside blacklist.conf seems that it's not executed - if we look at the declaration it shoul do a sort of the ip's then ban them, which is does not (as i have intentionally added a duplicated ip on top of the list).
If i find the problem will let you know.

[juniorionut]

Forgot to mention that the jail seems to be working , but it ignores the ip.blacklist

2019-02-24 11:02:12,188 fail2ban.actions [27157]: NOTICE [blacklist] Flush ticket(s) with iptables-multiport
2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x
2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 179.x.x.x
2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 185.x.x.x
2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x
2019-02-24 11:02:12,198 fail2ban.actions [27157]: NOTICE [blacklist] Unban 193.x.x.x
2019-02-24 11:02:12,199 fail2ban.actions [27157]: NOTICE [blacklist] Unban 5.x.x.x
2019-02-24 11:02:12,442 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x
2019-02-24 11:02:12,480 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 179.x.x.x
2019-02-24 11:02:12,504 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 185.x.x.x
2019-02-24 11:02:12,527 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x
2019-02-24 11:02:12,550 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 193.x.x.x
2019-02-24 11:02:12,571 fail2ban.actions [27157]: NOTICE [blacklist] Restore Ban 5.x.x.x

[juniorionut]

@lou-diamonds for the problem that i have described above it is entirely my fault - inside my jail.local i had commented out banaction = blacklist , check if it's the same to you as after i enabled this the ip.blacklist is taken into account

[mitchellkrogza]

Hi @lou-diamonds unfortunately this has never been tested in conjunction with the asterisk filter so I guess they could very well conflict with each other.

@juniorionut are you using this in conjuction with asterisk?

[lou-diamonds]

@juniorionut Unfortunately I don't have banaction = blacklist commented out. So, that's not the issue.

@mitchellkrogza Maybe we can see what the issue is. My jail.local is:

[DEFAULT]
bantime = 60
findtime = 600
maxretry = 3
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
filter = %(name)s
port = 0:65535

Asterisk
[asterisk]
enabled = true
port = 5060,5061
filter = asterisk
action = %(banaction)s[name=%(name)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(name)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3

[blacklist]
enabled = true
logpath = /var/log/fail2ban.*
filter = blacklist
banaction = blacklist
bantime = 31536000 ; 1 year
findtime = 31536000 ; 1 year
maxretry = 2

Then here is my /var/log/fail2ban.log is:

2019-02-24 07:06:31,761 fail2ban.actions [1665]: NOTICE [asterisk] Unban 37...*
2019-02-24 07:06:33,190 fail2ban.actions [1665]: NOTICE [asterisk] Unban 5...*
2019-02-24 07:06:34,614 fail2ban.actions [1665]: NOTICE [asterisk] Unban 104...*
2019-02-24 07:06:34,716 fail2ban.actions [1665]: NOTICE [blacklist] 0...* already banned
2019-02-24 07:06:35,718 fail2ban.actions [1665]: NOTICE [blacklist] 185...* already banned
2019-02-24 07:06:36,720 fail2ban.actions [1665]: NOTICE [blacklist] 0...* already banned

There are plenty of IPs that remain banned but some asterisk will unban them from the blacklist ban & from the asterisk ban. However, if I change the default bantime to 10 days, asterisk will have this behavior every 10 days, instead of every 60 seconds like the example.

Any ideas?

[mitchellkrogza]

When asterisk unbans them are they removed from ip.blacklist ??

Maybe the default findtime + asterisk is conflicting with the findtime specified in [blacklist] ? 🤔

Another question, are the IP's being banned onto blacklist originating from asterisk bans ?

[juniorionut]

@mitchellkrogza , no , just blacklist but i have fixed my problem.

[mitchellkrogza]

Oh great @juniorionut please post your solution in case any others run into it.

[juniorionut]

@mitchellkrogza i have wrote above but will write again:

Inside my jail.local i had commented out banaction = blacklist which caused fail2ban to ignore the declarations inside action.d/blacklist.conf