Resolved Find reason why User get's banned via Fail2ban

[daanse]

Hi, i know, probably a stupid Question.
But if i have the IP from User.
How can i find out, why he was blocked?
Its always because some Homepage things, false Email Settings, FTP....

Does this require to set some debug Level?
Is there something which is practicable and not harm Performance with a bigger Server?

Thank you in Advance

 

[UFHH01]

Hi daanse,

pls. consider to have a look at the HOME - site of your Plesk Control Panel => "See Banned IP Addresses" links directly to the current banned IP addresses, where you will find as well the corresponding jail at the right side, for each banned IP address. If you now click on the corresponding jail, you will find the corresponding "filter" and as well the defined log - settings, which has to be monitored by Fail2Ban. Pls. investigate the used regex in use for the filter at for example: "HOME > Tools & Settings > IP Address Banning > (tab) jails > (button) Manage Filters", or got to "/etc/fail2ban/filter.d" on your server. Last, pls. open the corresponding ( defined ) log and compair it with the filter - definitions and entries in the log. Voilá !


Edit:
Actually, the above suggestion could have been more elegant, with a suggestion to use a "find" - command as for example:

find /var/log -type f -name "*log" -exec grep --color -Hni "XXX.XXX.XXX.XXX" {} \;

This will point out all current logged entries in the folder "/var/log" and you are now able to compair it with your jail - depending filter regex - expressions. ( The very same process is certainly possible with all domain - specific log - files, located at "/var/www/vhosts/system/*/logs" ).

 

[daanse]

Hi @UFHH01 ,

thank you for your explanations - my Problem is i never see exactly WHY someone gots banned. I know Jails and Filters and regex and sometimes i understand it but in this Case i don't find the Source.
The Command which you mentioned shows as followed:

/var/log/fail2ban.log:4726:2017-04-11 04:51:01,668 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:4727:2017-04-11 04:51:04,964 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:5338:2017-04-11 06:51:58,977 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:5339:2017-04-11 06:52:01,130 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:6111:2017-04-11 08:52:52,037 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:6112:2017-04-11 08:52:53,715 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:6721:2017-04-11 10:53:47,017 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:6722:2017-04-11 10:53:49,048 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:7297:2017-04-11 12:54:43,626 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:7879:2017-04-11 14:55:34,538 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:7881:2017-04-11 14:55:38,233 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8089:2017-04-11 15:59:36,938 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8090:2017-04-11 15:59:39,047 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8336:2017-04-11 17:44:22,927 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8337:2017-04-11 17:44:28,893 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8339:2017-04-11 17:44:42,049 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8341:2017-04-11 17:45:57,461 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8354:2017-04-11 17:50:56,861 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8355:2017-04-11 17:50:57,124 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8356:2017-04-11 17:50:57,140 fail2ban.filter         [3898]: INFO    [recidive] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8381:2017-04-11 18:00:58,076 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Unban xx.xx.xxx.xxx
/var/log/fail2ban.log:8390:2017-04-11 18:04:15,653 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8393:2017-04-11 18:05:57,998 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8394:2017-04-11 18:06:08,379 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8395:2017-04-11 18:06:08,519 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8396:2017-04-11 18:06:08,652 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8397:2017-04-11 18:06:08,783 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8398:2017-04-11 18:06:08,852 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8399:2017-04-11 18:06:08,922 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8400:2017-04-11 18:06:09,101 fail2ban.actions        [3898]: NOTICE  [plesk-postfix] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8401:2017-04-11 18:06:09,116 fail2ban.filter         [3898]: INFO    [recidive] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8402:2017-04-11 18:06:09,122 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8403:2017-04-11 18:06:32,741 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8413:2017-04-11 18:08:19,486 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8414:2017-04-11 18:08:21,613 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8415:2017-04-11 18:08:21,801 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8416:2017-04-11 18:08:21,814 fail2ban.filter         [3898]: INFO    [recidive] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8430:2017-04-11 18:16:10,023 fail2ban.actions        [3898]: NOTICE  [plesk-postfix] Unban xx.xx.xxx.xxx
/var/log/fail2ban.log:8433:2017-04-11 18:18:01,520 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8434:2017-04-11 18:18:01,727 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8435:2017-04-11 18:18:01,927 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8436:2017-04-11 18:18:02,071 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8437:2017-04-11 18:18:02,143 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8438:2017-04-11 18:18:02,286 fail2ban.filter         [3898]: INFO    [plesk-postfix] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8439:2017-04-11 18:18:02,375 fail2ban.actions        [3898]: NOTICE  [plesk-postfix] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8440:2017-04-11 18:18:02,390 fail2ban.filter         [3898]: INFO    [recidive] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8441:2017-04-11 18:18:22,737 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Unban xx.xx.xxx.xxx
/var/log/fail2ban.log:8442:2017-04-11 18:19:00,273 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8445:2017-04-11 18:20:25,031 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8446:2017-04-11 18:20:26,384 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8447:2017-04-11 18:20:28,349 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8449:2017-04-11 18:21:30,027 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8450:2017-04-11 18:21:30,176 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8451:2017-04-11 18:21:30,191 fail2ban.filter         [3898]: INFO    [recidive] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8452:2017-04-11 18:21:30,697 fail2ban.actions        [3898]: NOTICE  [recidive] Ban xx.xx.xxx.xxx
/var/log/fail2ban.log:8459:2017-04-11 18:23:56,786 fail2ban.filter         [3898]: INFO    [plesk-dovecot] Found xx.xx.xxx.xxx
/var/log/fail2ban.log:8464:2017-04-11 18:28:03,318 fail2ban.actions        [3898]: NOTICE  [plesk-postfix] Unban xx.xx.xxx.xxx
/var/log/fail2ban.log:8470:2017-04-11 18:31:31,114 fail2ban.actions        [3898]: NOTICE  [plesk-dovecot] Unban xx.xx.xxx.xxx
/var/log/fail2ban.log:12778:2017-04-12 15:01:49,918 fail2ban.actions        [3898]: NOTICE  [recidive] Unban xx.xx.xxx.xxx

But this isnt really helpful. Maybe it depents on Debug from fail2ban? Do i have to turn something on? Would this harm Performance?

 

[UFHH01]

Hi daanse,

the recidive jail bans returning spammers, you have to dig further in your ( maybe ) compressed ( because "log - rotate" took part ) log - files then.