On Wed, May 27, 2015 at 12:47 AM, Johannes Weberhofer
Dear Greg,
sorry for the late response, I didn't see you post earlier.
Regarding your issue, I'm seeing the same problem with the 0.8 and 0.9 version, too: https://github.com/fail2ban/fail2ban/issues/1020 .
Can you check if fail2ban bans the IP-addresses when you open vi and write the file? I think, there is something wrong with fail2ban.
Johannes When a ban triggers it is updating my iptables: Chain f2b-ssh-repeater (1 references) target prot opt source destination REJECT all -- 58.218.205.83 anywhere reject-with icmp-port-unreachable REJECT all -- 60.8.151.51 anywhere reject-with icmp-port-unreachable REJECT all -- 58.218.211.155 anywhere reject-with icmp-port-unreachable etc. It is also updating my permanent block file: # cat ip.blocklist.ssh 58.218.204.239 # fail2ban/2015-05-20 14:17:51: auto-add for repeat offender 58.218.199.49 # fail2ban/2015-05-20 17:27:17: auto-add for repeat offender 222.186.21.136 # fail2ban/2015-05-21 04:51:17: auto-add for repeat offender etc. My issue is that on fail2ban startup parsing the ip.blocklist.ssh file seems to fail. Then fail2ban runs through all my logs and re-bans the bothersome IPs based on the historical logs. I then get an email about each one. I have about 30 IPs in the blocklist so I get 30 emails generated via "systemctl restart fail2ban.service" The workaround for the emails is to turn off email notification for repeat ssh attack detection. But that just ignores the real bug. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org