Server: Ubuntu 16.04
Hosting Company: Strato
Virtualization: Virtuozzo
Fail2Ban v0.9.3
Fail2ban the log-file scanner software for Linux servers has the advantage of being simple to configure and effective to work. Running it on a VPS (Virtual Private Server) one can come across a problem that a firewall rule is not working because of the limitations coming from the host of the server.
Fail2ban is not blocking anything but rather reading the log files specified in the jail files comparing it to patterns stored and writing rules to the iptables firewall. The amount of rules that can be written to the iptables can be limited by the host. If this is the case, it can happen that even so the fail2ban rule is working, it is not applied (written to the iptables) because the numbers are limited.
This can happen (own experience) if the jail has a very long bantime.
Example:
[postfix-auth] enabled = true port = smtp,ssmtp filter = postfix-auth # action = iptables[name=SMTP-auth, port=smtp, protocol=tcp] logpath = /var/log/mail.log maxretry = 2 bantime = 31536000 findtime = 3600
Note the bantime = 31536000. That means the offending IP is banned for a complete year (31536000 1 year in seconds). As said before, the banning is not done by fail2ban but rather in the iptables firewall. If there is a limited amount of IPs that can be stored sooner or later it is “full” and wont accept any more banns that fail2ban has come up.
How to find out:
egrep "numiptent|failcnt" /proc/user_beancounters
The results:
uid resource held maxheld barrier limit failcnt numiptent 157 157 2000 2000 0
Interpretation: The maximum amount of IPs that can be stored is 2000. The current count is 157. If the limit is maxed out it will give the number in the failcnt column.