Fail2ban – Unban Behavior When Two Jails Ban the Same IP

fail2ban

I have two fail2ban jails that deal with postfix: one called postfixsasl and one called postfixauth. They each are looking for different regex matches for triggering bans. It is possible that both of them might be triggered by activity from the same IP address, and that occurs sometimes.

If one of the bans expires before the other one, it seems like the IP address is getting unbanned, even though the second ban is still active.

For example, suppose I run fail2ban-client get postfixauth banip --with-time and I get the the following line within its output (actual IP address dummied out):

aaa.bbb.ccc.ddd     2020-09-28 10:58:24 + 86400 = 2020-09-29 10:58:24

… and suppose I run fail2ban-client get postfixsasl banip --with-time and I get the following output. The same IP address is dummied out in the same way:

aaa.bbb.ccc.ddd     2020-09-28 20:00:37 + 3600 = 2020-09-28 21:00:37

Obviously, the second ban will expire before the first one will. However, it seems like once the second item gets unbanned, the aaa.bbb.ccc.ddd IP address seems to be unbanned, even before the first item's expiration time.

I want the aaa.bbb.ccc.ddd IP address to remain blocked until the latest ban expires, but this is not occurring for me.

Before 21:00:37 on 2020-09-29, the following line appears in the f2b-postfixauth section of iptables -L output:

REJECT     all  --  aaa.bbb.ccc.ddd         anywhere             reject-with icmp-port-unreachable

… and the following line appears in the f2b-postfixsasl section of the iptables -L output:

REJECT     all  --  aaa.bbb.ccc.ddd         anywhere             reject-with icmp-port-unreachable

After 21:00:37 on 2020-09-29, both lines are gone from the iptables -L output.

Is this expected behavior? Or could it be that there might be something totally unrelated that's wrong with my fail2ban configuration which causes this to occur? If this is not the expected behavior, then I will investigate my fail2ban configuration further.

Thank you very much.

Best Answer

I am using csf for "normal", non-fail2ban firewall processing, and I figured out that csf and fail2ban interact with iptables in incompatible ways, and this is the cause of my problem.

I was using iptables-multiport within fail2ban in order to do the banning, and the simultaneous presence of csf as my firewall service caused previously banned (via fail2ban) IP addresses to still get through the firewall.

Instead of using iptables-multiport, I changed my fail2ban jail configuration to do its banning and unbanning solely via csf, as described here: https://github.com/fail2ban/fail2ban/issues/2340

With iptables-multiport actions no longer being executed within my csf-enabled fail2ban setup, all banning and unbanning attempts are now working as expected.

Related Topic