Hi Drik, hi List
On 10.08.2017 21:34, Dirk wrote:
As far as I know the functionality of Fail2Ban is old. If there would be a Linux distribution which enables this I would like to talk to the maintainer and let him know that he at least tries to read the correct abuse entry from ripe instead of bothering our provider as well.
I took a look into the Fail2ban source code[0] today. Although I now have a better understanding of how Fail2ban works I can not really provide the problem source.
* The feature that causes abuse mails is called 'complain'[1].
* Since Feb 2014 Fail2ban is using a web service called abusix.com[2] to get abuse contacts. They run a DNS based abuse contact info service, e.g.: Absuse Contact for example.com / 93.184.216.34 looks like this: $ dig +short TXT 34.216.184.93.abuse-contacts.abusix.org
* As response they provide one abuse mail contact, which is in our case always our ISPs abuse address. abusix.com in turn gets their information from the RIPE API[3]. e.g.: curl https://stat.ripe.net/data/abuse-contact-finder/data.json?resource=93.184.21...
This answers the question of why Fail2ban is using our ISPs abuse contact instead of only ours. It also answers the question how they get this abuse contact. But in all those samples the abuse notice was sent to our ISPs abuse contact and to ours. So far I can not say why they use both contacts.
From checking the source I can not find the whois lookup that would
parse our abuse contact out of our RIPE object record.
I also checked the commit history for the following keyword: abuse: last occurrence 19. Feb 2014 whois: last occurrence 27. Mar 2015 mail : nothing related in the last two years
My findings let me assume that Fail2ban itself is not necessary the source of our problem (increasing 22/ssh abuse mails).
Possible other problem causer could be: * Fail2ban OS specific configuration files * a (new?) popular Fail2ban how-to-guide which promotes the 'complain' configuration * Maybe neither of both changed something and we just had bad luck in the past weeks?
Maybe someone else has real world experiences with Fail2ban and can help us out here?
I posted all this to the list in the hope they will help someone else in the future.
Regards Pascal
[0] https://github.com/fail2ban/fail2ban [1] https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/complain.conf [2] https://github.com/fail2ban/fail2ban/commit/31f4ea59cb86fb91221778902b7e6776... [3] https://github.com/fail2ban/fail2ban/issues/612