Fail2ban incorrectly banning matched IP

Question

I have a very simple filter that does the following:

[nginx-node]

failregex = ^<HOST> -.*(socket.io).*

I can see that there are clear matches:

grep 'socket.io' /var/log/nginx/example.com.access.log

121.172.15.179 1.866 - [19/Mar/2019:07:28:24 +0000] example.com "GET /play HTTP/1.1" 200 6139 "http://example.com/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=l0uDuR-obQ-x88VTXy64" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.43"
109.248.15.151 2.097 - [19/Mar/2019:07:28:24 +0000] example.com "GET /withdraw HTTP/1.1" 200 5909 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=YhxObxy-NI9nGSMYXy-i" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
185.129.196.137 1.983 - [19/Mar/2019:07:28:24 +0000] example.com "GET /play HTTP/1.1" 200 6140 "http://example.com/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=T6NdG0RxDqJrrZoBXy66" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.43"
5.188.214.175 2.001 - [19/Mar/2019:07:28:25 +0000] example.com "GET /withdraw HTTP/1.1" 200 5909 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=HDuKa8O9rB_DQ4SbXy-j" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
5.8.54.93 1.357 - [19/Mar/2019:07:28:26 +0000] example.com "GET /withdraw HTTP/1.1" 200 5906 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=5SwXG179RJFvBDJ_Xy-k" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
45.4.197.31 1.533 - [19/Mar/2019:07:28:27 +0000] example.com "GET /withdraw HTTP/1.1" 200 5903 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=L1AFBAvELUyb9x1sXy-l" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/5^C

And yet the bans are as follows:

2019-03-19 23:01:20,927 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.139
2019-03-19 23:01:21,346 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.140
2019-03-19 23:01:21,568 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.141
2019-03-19 23:01:21,790 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.142

The relevant section of my jail.local:

[nginx-node]
enabled = true
filter = nginx-node
port = http,https
action = iptables-multiport[name=Name, port="http,https", protocol=tcp]
logpath = /var/www/example.com/logs/access.log tail
maxretry = 0

I am running an nginx behind Cloudflare. I have already adjusted nginx to show real IPs and I know that is working because other filters work perfectly. It seems that this one user is spoofing his IP address. I just can't figure out why I am seeing a real IP in the logs and fake one being banned.

Any ideas?

Those log lines don't match the failregex. Use `fail2ban-regex` to investigate with your actual log entries. — Michael Hampton, Mar 19 '19 at 23:20
I checked and it seems to be pulling matches. What regex would you suggest given that I simply want to match against "socket.io"? - I correct a regex typo above — xtremetom, Mar 20 '19 at 00:00
Yes you are right, I have since changed it to: `failregex = ^.*(socket.io).*` But it is still banning really odd IPs (0.0.0.89 etc...) — xtremetom, Mar 20 '19 at 12:07

Fail2ban incorrectly banning matched IP

0 Answers0