fail2ban not banning "matched" IPs from vsftp log

Question

Using fail2ban to secure the vsftp login:

jail.local

[vsftpd]
enabled = true
bantime  = 600
findtime  = 5000
maxretry = 1
port = ftp,ftp-data
action = iptables-multiport
logpath = /var/log/vsftpd/vsftpd.log

Regex is matching, as you can see here:

fail2ban-regex /var/log/vsftpd/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf --print-all-matched

Running tests
=============

Use   failregex filter file : vsftpd, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /var/log/vsftpd/vsftpd.log
Use         encoding : UTF-8


Results
=======

Failregex: 23 total
|-  #) [# of hits] regular expression
|   2) [23] ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [385] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 385 lines, 0 ignored, 23 matched, 362 missed
[processed in 0.03 sec]

|- Matched line(s):
|  Wed Mar  9 08:36:06 2022 [pid 2619415] [bla] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:13 2022 [pid 2619420] [bla] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:18 2022 [pid 2619422] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:30 2022 [pid 2619425] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:37 2022 [pid 2619508] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:45 2022 [pid 2619511] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:53 2022 [pid 2619514] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:39 2022 [pid 2620744] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:47 2022 [pid 2620746] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:55 2022 [pid 2620748] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:03 2022 [pid 2620763] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:12 2022 [pid 2620767] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:12 2022 [pid 2620766] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:07 2022 [pid 2621558] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:15 2022 [pid 2621560] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:23 2022 [pid 2621562] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:23 2022 [pid 2621564] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:26 2022 [pid 2621566] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:36:56 2022 [pid 2627379] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:48 2022 [pid 2627498] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:57 2022 [pid 2627500] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:57 2022 [pid 2627501] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:58 2022 [pid 2627504] [blaas] FAIL LOGIN: Client "some_IP"
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 362 lines

Checking with fail2ban cli / fail2ban-client status vsftpd

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Any idea what may cause this not banning the "matched" IPs / how to debug further?

Answer 1

Any idea what may cause this not banning the "matched" IPs / how to debug further?

Wrong backend (if it is systemd by default on your system)? Try to specify backend = auto for this jail (it would automatically select file-related monitoring backend).

For other possible reasons see https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works

Answer 2

Why did you think it is not banning? The fact it is not banned now doesn't mean a jail doesn't work.

I see a specific pattern in your log for the jail blaas: six consecutive attempts, then some delay (of around 10 minutes), then exactly six attempts again, then some delay, then six attempts again...

This could be interpreted in two ways:

1. It bans for 10 minutes after 6 attempts. Then removes the ban.

2. You faced with a smart bot, which knows about fail2ban typical behaviour and is able to determine jail settings (how much attempts in which time period fires a ban). Such bots exist for a quite long time. So, it probably just tuned itself to not to trip the ban action.

To remedy those cases, you need to enable the recidive jail, which scans fail2ban's own log file, looks for addresses that were banned and unbanned too many times (for instance, five per day) and bans them for a long, like a whole month. In the second case, you also have to tighten up jail limits considerably, to be able to catch the bot with recidive before it has a chance to determine your jail setup.

Always read log file (perhaps /var/log/fail2ban.log), not a regex matching helper. That helper is designed precisely to debug matches, which cause a hit. It won't help to debug the banning behaviour when regex matchers are already debugged and work properly.

---

I re-read your question and noticed the jail definition: ban time is really set to 10 minutes. If I was able to determine it without looking at the settings, why bots can't?