Resolved Fail2Ban is ignoring maxretry/ ip found after ban

[KarleyLo]

We are Blocking a Bruteforce with Fail2Ban and i discovered that sometimes the IPs are not blocked after the maxretry or the IP is found after ban.

We have set the maxretry to 3 :

[ssh]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
logpath = /var/log/secure
maxretry = 3

but when i check the logs i can see that sometime, the same ip is found more than 3 times :

/var/log/fail2ban.log:


grep "Failed pass" /var/log/secure:


Can someone help us with this?

 

[Bitpalast]

What is the "WARNING Unable to find a corrspond" message showing in full length?

 

[Brujo]

please show us also the timestamps of the entrys, sometimes the entries are as often as the fail2ban / system is not fast enough

 

[KarleyLo]

What is the "WARNING Unable to find a corrspond" message showing in full length?

please show us also the timestamps of the entrys, sometimes the entries are as often as the fail2ban / system is not fast enough

As you can see, there a a couple of seconds between each login :

 

[Bitpalast]

Regarding @Brujo 's comment: It is correct that in this case Fail2Ban simply isn't fast enough to block the IP before it exceeds the set limit. No worries about that. Simply leave your configuraton as it is.

Regarding the "WARNING" message: If your system is not using Fail2Ban version 0.10 or new that can utilize ip6tables to block IPv6 attacks, it is strongly recommended to disable IPv6 altogether on the system, because else attacks can be launched successfully using an IPv6 route. These will never be blocked by the normal Fail2Ban and iptables.