"Already banned" in fail2ban.log

More than 3 years ago I installed a new Webmin/Virtualmin server. After few days I found some “already banned” ips in fail2ban.log. I had a very long thread about that issue with the app developer. I couldn’t solve the problem via iptables. I wrote a couple of scripts to block those ips via firewallD.

2 days ago I developed a new virtual host with Alma Linux 9 and a fresh install of Webmin Virtualmin.
Then I installed some software but I never change anything related to firewall and fail2ban setting by myself.

I got freezed when looking at fail2ban.log and found again some “Already banned”. If the ip has been banned it has access only when it is “unban”.

My knowledge on this matter is very poor so I don’t want to try anything.
Here are stuff I’ve done after Virtualmin install:
Changed hostname, ssh port, php conf
Install nano, mlocate, imagemagick, ksh, postfix-perl-scripts, exiftool, php-extensions, sphinx, phpMyadmin, trying to install Horde (pearl), Roundcube, phpMailer.
Blocked some domains in named.conf
Thanks for help

Unless this feeds to a firewall before your box, then yes, they will keep banging on the front door. The door is locked though. You still have to process the IP to see if it is allowed or denied.

Okay, sorry, I was confused. Anyway, why if a IP is banned maillog displays several connection attempts from that IP?

Its always best practise to reduce the attack surface as much as possible, and this is done by limiting the exposure. If you have a proper firewall between you are the dirty side of the internet, limit access by country to just those of your customers. Most people want a fairly wide spread for http/https, but their mail customers are local(ish). For example, our mail is locked down to UK/Ireland and parts of the EU which knocks out all the crap coming from the east.

Second, analyse fail2ban logs and pic out the IP’s who just bang on week after week, get banned, unbanned and carry on. just block those permanently. You can do this automatically or manually, you’re choice here.

Finally, make sure you’ve got something watching the system like lynis + snort (as an example), then pay attention to any suspect activity. fail2ban is really just a script kiddy mitigation device, really doesn’t work great against proper bad actors. (imo).

1 Like

Thanks for your tips.
I have a very long list of IPs I’ve already blocked in firewallD, that script I mentioned.
Many times it is not useful because of dynamic IP.
How do you limit access by country?
I have an old database, IP to country codes, I use in some php scripts

After a little reading it appears that fail2ban can increase the ban time for repeat offenders. The code is already in the config file but probably needs to go into the the local config.

Yes, they have to be set at jail.local, bantime, max-retry and others. You also can set which services will be viewed

You can do the country ban with ConfigServer Security and Firewall (csf) – ConfigServer Services
I does disable fail2ban and use iptables, seems to do a good job, lot more involved though.

1 Like

Hi Steve,
Can you please explain a bit more “I disabled fail2ban and use iptables”?
I installed csf and tests were 42/42.
I also have read this thread.
Thank you

OK. Thinking about it, fail2ban has to read the auth attempt. I don’t know if it returns any information on fail. That would be bad. But port knocking is what you might be looking for. I found this. There are others.

1 Like

I should of posted “It disables fail2ban and use iptables”
Strange I’m sure fail2ban was off last time i look but most of the banning is with IPTABLES.
I noticed the “start at boot” is enabled maybe it started after a reboot. I will investigate.

P.S. ok i remember now I looked at FirewallD not fail2ban, that was disabled.

I changed ssh port long time ago so I avoid ssh login attempts in port 22

I hope you have certificate key login only and password not allowed. This stop any login by guessing a password.

Actually, you can set both, certificate AND password which is what we do.

yes but password alows hacking attempts (thats the point), no cert then connection is dropped.

Just because the packet is logged, it doesn’t mean it isn’t silently dropped. PCAP is your friend here.

I’m not sure what you mean.

PCAP is packet capture. Think wire shark. It will show if the packet even gets an acknowledgment or if it is silently dropped. Given how old this technique is I’d be surprised if fail2ban isn’t just logging the attempts but doesn’t answer. But, that’s just a guess/assumption on my part.

The only way to avoid the knock is to have a firewall ahead of the machine. No way around that one.

If you have a public access points there no getting around that, I’m now use CSF for the security.

I’ve toyed with the idea of setting up a vm for a firewall and then sharing the ban list from the hosting machine. That would stop the door knocks. The problem is that there is so much noise from the (fill_in_the_blank) that it makes finding stuff in the logs harder sometimes. Just no time right now.