Bonjour,
Sur une serveur Debian 9 Fail2ban a banni un certain nombre d’IP suivant la règle recidive:
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 129
| |- Total failed: 537
| `- File list: /var/log/fail2ban.log
`- Actions
|- Currently banned: 51
|- Total banned: 51
`- Banned IP list: 92.63.194.121 129.28.191.55 103.233.153.146 106.13.200.7 222.242.223.75 197.248.16.118 62.48.150.175 168.243.91.19 130.61.28.159 187.122.102.4 157.230.91.45 81.74.229.246 175.124.43.123 206.189.162.87 129.211.27.10 106.12.94.65 139.217.103.62 13.94.57.155 188.254.0.197 52.172.138.31 222.186.175.161 110.80.17.26 222.186.180.9 185.17.41.198 170.150.155.102 194.84.17.5 123.207.86.68 139.99.219.208 144.217.15.161 89.248.168.221 171.244.51.114 118.24.135.240 123.206.74.50 222.186.42.4 92.222.216.81 121.162.131.223 222.186.173.142 45.82.153.37 222.186.180.223 222.186.173.183 139.59.94.192 129.213.18.41 159.224.66.240 222.186.180.6 222.186.175.220 141.98.80.81 103.36.84.100 112.85.42.185 106.13.81.18 41.207.182.133 92.222.77.175
Mais je continue à voir toutes les minutes des messages concernant ces IP bannies:
...
2019-10-07 08:41:21,847 fail2ban.actions [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 08:43:36,280 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:43:36
2019-10-07 08:46:43,739 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:46:43
2019-10-07 08:47:37,812 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:47:37
2019-10-07 08:50:01,014 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:50:00
2019-10-07 08:50:53,687 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:50:53
2019-10-07 08:50:54,393 fail2ban.actions [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 08:53:04,466 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:53:04
2019-10-07 08:54:01,145 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:54:01
2019-10-07 08:56:17,328 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:56:17
2019-10-07 08:57:02,586 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:57:02
2019-10-07 08:59:23,577 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:59:23
2019-10-07 08:59:23,652 fail2ban.actions [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 09:00:21,653 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:00:21
2019-10-07 09:02:34,621 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:02:34
2019-10-07 09:03:28,491 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:03:28
2019-10-07 09:05:44,476 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:05:44
2019-10-07 09:06:32,543 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:06:32
2019-10-07 09:06:32,804 fail2ban.actions [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 09:09:01,149 fail2ban.filter [15857]: INFO [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:09:01
Pourquoi ces messages toutes les 2 minutes si cette IP a été bannies par une règle iptables pour une semaine ?
iptables -L -v
...
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any 139.59.4.224 anywhere reject-with icmp-port-unreachable
22 1720 REJECT all -- any any ns3118043.ip-51-38-57.eu anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 103.76.21.181 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 27.50.162.82 anywhere reject-with icmp-port-unreachable
17 1348 REJECT all -- any any 76.121.175.61.dial.hu.zj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
19 1516 REJECT all -- any any 222.186.175.169 anywhere reject-with icmp-port-unreachable
12 896 REJECT all -- any any selvamotor.emcali.net.co anywhere reject-with icmp-port-unreachable
24 1840 REJECT all -- any any 140.143.98.35 anywhere reject-with icmp-port-unreachable
39 2700 REJECT all -- any any 139.217.102.155 anywhere reject-with icmp-port-unreachable
25 1916 REJECT all -- any any 89.216.47.154 anywhere reject-with icmp-port-unreachable
28 2088 REJECT all -- any any 125.ip-217-182-74.eu anywhere reject-with icmp-port-unreachable
23 1596 REJECT all -- any any 139.155.44.100 anywhere reject-with icmp-port-unreachable
31 1672 REJECT all -- any any 221.150.15.200 anywhere reject-with icmp-port-unreachable
30 2208 REJECT all -- any any 167.71.91.228 anywhere reject-with icmp-port-unreachable
34 2440 REJECT all -- any any 160.ip-213-32-67.eu anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 175.ip-92-222-77.eu anywhere reject-with icmp-port-unreachable
19 1612 REJECT all -- any any 222.186.175.217 anywhere reject-with icmp-port-unreachable
34 2448 REJECT all -- any any 215.39.73.34.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable
35 2508 REJECT all -- any any 162.243.10.64 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 41.207.182.133 anywhere reject-with icmp-port-unreachable
18 1368 REJECT all -- any any 222.186.190.92 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 106.13.81.18 anywhere reject-with icmp-port-unreachable
200K 447M RETURN all -- any any anywhere anywhere
Chain f2b-postfix (1 references)
pkts bytes target prot opt in out source destination
48087 9218K RETURN all -- any any anywhere anywhere
Chain f2b-pureftpd (1 references)
pkts bytes target prot opt in out source destination
485 29639 RETURN all -- any any anywhere anywhere
Chain f2b-recidive (1 references)
pkts bytes target prot opt in out source destination
18 1448 REJECT all -- any any 139.59.4.224 anywhere reject-with icmp-port-unreachable
17 1304 REJECT all -- any any 103.76.21.181 anywhere reject-with icmp-port-unreachable
20 1560 REJECT all -- any any 27.50.162.82 anywhere reject-with icmp-port-unreachable
31 2272 REJECT all -- any any 175.ip-92-222-77.eu anywhere reject-with icmp-port-unreachable
33 2388 REJECT all -- any any 41.207.182.133 anywhere reject-with icmp-port-unreachable
30 2120 REJECT all -- any any 106.13.81.18 anywhere reject-with icmp-port-unreachable
390 23728 REJECT all -- any any 112.85.42.185 anywhere reject-with icmp-port-unreachable
44 2968 REJECT all -- any any 103.36.84.100 anywhere reject-with icmp-port-unreachable
49 3123 REJECT all -- any any 141.98.80.81 anywhere reject-with icmp-port-unreachable
16 1360 REJECT all -- any any 222.186.175.220 anywhere reject-with icmp-port-unreachable
28 2064 REJECT all -- any any 222.186.180.6 anywhere reject-with icmp-port-unreachable
53 3596 REJECT all -- any any 240.66.224.159.triolan.net anywhere reject-with icmp-port-unreachable
47 3228 REJECT all -- any any 129.213.18.41 anywhere reject-with icmp-port-unreachable
56 3768 REJECT all -- any any 129360.cloudwaysapps.com anywhere reject-with icmp-port-unreachable
19 1636 REJECT all -- any any 222.186.173.183 anywhere reject-with icmp-port-unreachable
20 1580 REJECT all -- any any 222.186.180.223 anywhere reject-with icmp-port-unreachable
50 2931 REJECT all -- any any 45.82.153.37 anywhere reject-with icmp-port-unreachable
29 2120 REJECT all -- any any 222.186.173.142 anywhere reject-with icmp-port-unreachable
46 3084 REJECT all -- any any 121.162.131.223 anywhere reject-with icmp-port-unreachable
45 3100 REJECT all -- any any 81.ip-92-222-216.eu anywhere reject-with icmp-port-unreachable
19 1612 REJECT all -- any any 222.186.42.4 anywhere reject-with icmp-port-unreachable
62 4116 REJECT all -- any any 123.206.74.50 anywhere reject-with icmp-port-unreachable
46 3164 REJECT all -- any any 118.24.135.240 anywhere reject-with icmp-port-unreachable
32 2224 REJECT all -- any any 171.244.51.114 anywhere reject-with icmp-port-unreachable
23 1380 REJECT all -- any any 89.248.168.221 anywhere reject-with icmp-port-unreachable
43 2988 REJECT all -- any any 161.ip-144-217-15.net anywhere reject-with icmp-port-unreachable
42 2880 REJECT all -- any any 139.99.219.208 anywhere reject-with icmp-port-unreachable
37 2588 REJECT all -- any any 123.207.86.68 anywhere reject-with icmp-port-unreachable
49 3308 REJECT all -- any any mail.severstalauto.com anywhere reject-with icmp-port-unreachable
50 3360 REJECT all -- any any static.102.155.150.170.cps.com.ar anywhere reject-with icmp-port-unreachable
41 2876 REJECT all -- any any vi185-17-41-198.vibiznes.pl anywhere reject-with icmp-port-unreachable
44 3044 REJECT all -- any any 222.186.180.9 anywhere reject-with icmp-port-unreachable
48 3248 REJECT all -- any any 110.80.17.26 anywhere reject-with icmp-port-unreachable
19 1528 REJECT all -- any any 222.186.175.161 anywhere reject-with icmp-port-unreachable
85 5508 REJECT all -- any any 52.172.138.31 anywhere reject-with icmp-port-unreachable
45 3076 REJECT all -- any any 188.254.0.197 anywhere reject-with icmp-port-unreachable
151 9420 REJECT all -- any any 13.94.57.155 anywhere reject-with icmp-port-unreachable
142 8888 REJECT all -- any any 139.217.103.62 anywhere reject-with icmp-port-unreachable
56 3728 REJECT all -- any any 106.12.94.65 anywhere reject-with icmp-port-unreachable
34 2388 REJECT all -- any any 129.211.27.10 anywhere reject-with icmp-port-unreachable
52 3528 REJECT all -- any any 206.189.162.87 anywhere reject-with icmp-port-unreachable
44 2952 REJECT all -- any any 175.124.43.123 anywhere reject-with icmp-port-unreachable
49 3356 REJECT all -- any any ahc-rm3-10.rminv.alcdn.interbusiness.it anywhere reject-with icmp-port-unreachable
46 3168 REJECT all -- any any 252407.cloudwaysapps.com anywhere reject-with icmp-port-unreachable
42 2984 REJECT all -- any any bb7a6604.virtua.com.br anywhere reject-with icmp-port-unreachable
24 1844 REJECT all -- any any 130.61.28.159 anywhere reject-with icmp-port-unreachable
50 2924 REJECT all -- any any static-243.90.19.pddh.gob.sv anywhere reject-with icmp-port-unreachable
56 3768 REJECT all -- any any adsl-62-48-150-175.ptprime.net anywhere reject-with icmp-port-unreachable
52 3572 REJECT all -- any any 197-248-16-118.safaricombusiness.co.ke anywhere reject-with icmp-port-unreachable
39 2476 REJECT all -- any any 222.242.223.75 anywhere reject-with icmp-port-unreachable
59 3936 REJECT all -- any any 106.13.200.7 anywhere reject-with icmp-port-unreachable
32 2132 REJECT all -- any any 103.233.153.146 anywhere reject-with icmp-port-unreachable
22 1672 REJECT all -- any any 129.28.191.55 anywhere reject-with icmp-port-unreachable
114 6776 REJECT all -- any any 92.63.194.121 anywhere reject-with icmp-port-unreachable
591K 537M RETURN all -- any any anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them