Duplicate reports when restarting fail2ban

Alle Fragen, die rund um Fail2Ban (Konfiguration, Fehler, Filter...) sind.
John F
Beiträge: 1
Registriert: 26. Aug 2015, 11:29

Duplicate reports when restarting fail2ban

Beitrag von John F »

When I restart fail2ban (which I can do quite a few times when testing new configurations), it will ban again the ips that are still within the search window. When configured to report bans to blocklist.de, I notice that duplicate reports are being made, which do not come from new activity, but from fail2ban re-reading the same log entries from before. The time of the reports is the current time but the log lines are the same as before.

I believe that the re-reading of the logs at startup is the correct behaviour of fail2ban, since it is needed to put the local bans back in place. However, I imagine it's not so desirable from the reporting point of view, though I don't see how that can be easily avoided.

I noticed that if you get duplicate reports, blocklist.de does not send out duplicate abuse reports, so I think that there is no damage done. Only probably minor problem is that the statistics of reports per server becomes artificailly inflated by fail2ban stop/start activity. Is that ok or do you have a suggestion to avoid this problem?


Beiträge: 400
Registriert: 14. Sep 2010, 11:54

Re: Duplicate reports when restarting fail2ban

Beitrag von Martin »

Hi John,

yes, we send only all 24 Hours after the last Report, when we get a new Attack-Mail, a new Report out.

Can you tell me your "findtime" from your config?
When the findtime is very high and the IP-Addresses from the Logs was in between the findtime, fail2ban block them again, but only an restart.
You can use reload on the current version, the IPs does not unblocked.
Or you can change the Settings in /etc/fail2ban/action.d/iptablesxxxxx.conf and edit the "stop" and "start" action-lines.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service