Site can't be reached

[zedrickvillas]

It seems that something is blocking if an IP is visiting the site too much but not spamming.
is it because of fail2ban?

[carlalexander]

How often? It's possible that it's fail2ban. I configured fail2ban with some crude ddos protection.

[zedrickvillas]

Yes, i've tried to stop fail2ban via ssh, and was now able to access the site.
Why do u think i was locked by fail2ban?
i was just configuring some settings that time.

[cezarneaga]

@zedrickvillas check this here: #81 (comment)

it helped me.

[carlalexander]

It's probably the ddos rule. It bans someone for 2 hours if they spam requests. The default is 300 requests in 5 minute. You can override the defaults if you want. Or turn off that jail.

[cezarneaga]

you mean line 60
fail2ban_bantime: '{{ (60 * 60 * 2) }}'
in debops.fail2ban/defaults/main.yml
right?

[cezarneaga]

i just had a look here and the # Default mail notification method
fail2ban_mta: 'sendmail'
shouldnt this be postfix? are you setting it elsewhere to postfix? i never get fail2ban emails

[carlalexander]

The default fail2ban action is action_ which bans without alerting by email. The sendmail uses postfix so it works. To get emails, you need to set this option:

wordpress__fail2ban__default_action: 'action_mwl'

It will send those emails to root@domain.com so that needs to be a valid address.

The DDOS setting start at line 170:

# .. envvar:: wordpress__fail2ban__jail_ddos_action
#
# Action performed by ``fail2ban`` when IP address is banned by the DDOS jail.
wordpress__fail2ban__jail_ddos_action: '{{ wordpress__fail2ban__default_action }}'

# .. envvar:: wordpress__fail2ban__jail_ddos_bantime
#
# Length of time in seconds for the DDOS jail ban to persist. (Default: 2 hours)
wordpress__fail2ban__jail_ddos_bantime: '{{ wordpress__fail2ban__default_bantime }}'

# .. envvar:: wordpress__fail2ban__jail_ddos_enabled
#
# Whether the DDOS jail is enabled or not.
wordpress__fail2ban__jail_ddos_enabled: 'true'

# .. envvar:: wordpress__fail2ban__jail_ddos_findtime
#
# Length of time in seconds under which the given ``maxretry`` needs to happen
# to trigger a DDOS ban. (Default: 5 minutes)
wordpress__fail2ban__jail_ddos_findtime: '300'

# .. envvar:: wordpress__fail2ban__jail_ddos_maxretry
#
# Maximum number of requests in the given ``findtime`` to trigger a DDOS ban.
wordpress__fail2ban__jail_ddos_maxretry: '300'

[cezarneaga]

thanks.
did you ever find that fail2ban logs are empty? or with 2-3 entries?
is this the correct location? /var/log/fail2ban.log
where do i find the jails

[cezarneaga]

i got banned just by updating plugins from wp-admin and deleting files through ftp. ssh is blocked too

[carlalexander]

Mine's pretty sparse too, but I don't get many alerts either. It looks like this:

2016-11-14 23:56:43,535 fail2ban.actions        [20251]: NOTICE  [sshd] Ban 66.190.239.132
2016-11-15 01:56:43,938 fail2ban.actions        [20251]: NOTICE  [sshd] Unban 66.190.239.132
2016-11-20 05:21:44,249 fail2ban.actions        [20251]: NOTICE  [sshd] Ban 43.228.156.99

[zedrickvillas]

Can we adjust the fail2ban conditions before blocking an IP?

[carlalexander]

What do you mean? Like a whitelist?

[zedrickvillas]

Nope, like lessen the criteria for fail2ban to block and IP.
sorry for the late reply, i was busy or a while.

[carlalexander]

Yep, you can lessen the criteria. Do you know which jail is banning you?

[zedrickvillas]

I've deleted my droplet that has this problem.
Will update you when i encounter this problem again.

[jbicha]

Can you provide specific instructions for how to disable fail2ban?

Please reconsider enabling fail2ban by default. See my complaints on this other issue.

[carlalexander]

I think the major issue is the firewall more than fail2ban. I have fail2ban emails enabled on my site and it doesn't block as aggressively.

[jbicha]

Yes, I think it's ferm that's causing me problems.

[carlalexander]

Maybe we should see with @drybjed if debops.ferm should be this aggressive about blocking ssh connections. I'm not sure disabling SYN is the right solution.

[carlalexander]

I think we've gone to the root of this issue. Can we close it @zedrickvillas?

[carlalexander]

Closing this for now. Feel free to reopen if you still have issues @zedrickvillas! 😄