Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail2ban old versions can't get ban status by IP #22

Open
WKnak opened this issue Jun 26, 2024 · 4 comments
Open

fail2ban old versions can't get ban status by IP #22

WKnak opened this issue Jun 26, 2024 · 4 comments

Comments

@WKnak
Copy link
Owner

WKnak commented Jun 26, 2024

Some early versions of fail2ban cannot get the ban status directly from querying the IP. Example using fail2ban 0.11.1:

# fail2ban-client get sasl 194.169.175.0
2024-06-26 11:49:56,525 fail2ban                [2066492]: ERROR   NOK: ('Invalid command (no get action or not yet implemented)',)
Invalid command (no get action or not yet implemented)

But it is possible to get a list of all banned IP addresses in the jail using a different command, the last comma (,) is the separator character:

# fail2ban-client get sasl banip ,
194.169.175.0,194.169.176.10

FIX: It is not ideal to change the current implementation to always request the list instead of querying single IP, since it seems not efficient. But maybe instead create a constant for old behavior/compatibility with older fail2ban versions. Of course, upgrading to a new version of fail2ban will be better.

  • The IP addresses are obfuscated.
@WKnak
Copy link
Owner Author

WKnak commented Jun 26, 2024

It was implemented in fail2ban in this commit here:

fail2ban/fail2ban@54b2208?diff=unified&w=0#diff-b4fbc111cce5736af3c42e545e0db9dcff9606c1b72dbbc50fe7bb7ff620fd92

WKnak added a commit that referenced this issue Jun 26, 2024
@WKnak
add compatibility to older versions of fail2ban #22
a01f103
@WKnak WKnak mentioned this issue Jun 26, 2024
Closed
@pbiering
Copy link
Collaborator

@WKnak : can it be that you missed banned in your test between jail and IP?

Can you confirm that 0.11.1 behaves different to 0.11.2 (which is the version of EPEL7)

fail2ban-client --version
Fail2Ban v0.11.2

fail2ban-client set example-jail banip 1.2.3.5
1

fail2ban-client get example-jail banned 1.2.3.5
1

# test for a not banned IP:
fail2ban-client get example-jail banned 1.2.3.6
0

@WKnak
Copy link
Owner Author

WKnak commented Jun 27, 2024
edited
Loading

fail2ban-client -V
0.11.1

fail2ban-client set sasl banip 1.2.3.5
1

fail2ban-client get sasl banned 1.2.3.5
2024-06-27 15:39:33,774 fail2ban [2503816]: ERROR NOK: ('Invalid command (no get action or not yet implemented)',)

test for a not banned IP:
fail2ban-client get sasl banned 1.2.3.6
2024-06-27 15:39:38,417 fail2ban [2503823]: ERROR NOK: ('Invalid command (no get action or not yet implemented)',

@WKnak
Copy link
Owner Author

WKnak commented Jun 27, 2024

So it behaves different from 0.11.1 to 0.11.2 ... well it is already implemented, though, so in theory it is also compatible with older Fail2Ban versions now. I don't have a good environment to test, or to develop. The most important question in this implementatino is that it is now raising an exception. If you think there are better ways to refactor, please let me know or send your commits too! Thanks in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WKnak @pbiering