[BlueOnyx:25972] Re: Blueonyx 5210R - firewalld ist blocking let's encrypt
Michael Stauber
mstauber at blueonyx.it
Tue Feb 14 13:48:50 -05 2023
Hi Dirk,
> Do you have a tip for me on what exactly I can look for in the fail2ban.log?
> What keywords could I search for?
> Or of course in one of the other two logs?
Yeah, you don't have much to go by. It would be easier if you knew the
IP of the LE server that tried to make the connection, but you don't
have it. So we have to do this by time stamps and time frames:
[Mon Feb 13 03:49:33 CET 2023] www.domain.de:Verify error:123.456.78.90:
Fetching
http://www.domain.de/.well-known/acme-challenge/GT4WUNBge2I3GjR3GpDDmOBhIEF0sT2qCkwbO577c8w:
Timeout during connect (likely firewall problem)
So LE tried to verify at that date and time.
Now check your Fail2ban config in the GUI and see what "Bantime" you
have configured. The default is 600 seconds. Or 10 minutes. If you're
operating on that default, then the event that blocked the access should
have happened between 03:39:33 and 03:49:33 on Feb 13.
This grep fetches all events between 03:30:00 and 03:49:59 on Feb 13
from the fail2ban.log
cat /var/log/fail2ban.log|grep -e '2023-02-13 03:3' -e '2023-02-13 03:4'
You're then looking for any INFO or NOTICE entry related to bans. Like
these for example:
2023-02-14 13:42:23,625 fail2ban.filter [3862545]: INFO
[sshd] Found 167.71.166.90 - 2023-02-14 13:42:23
2023-02-14 13:42:23,745 fail2ban.actions [3862545]: NOTICE
[sshd] Ban 167.71.166.90
That tells us that IP 167.71.166.90 triggered the [sshd] related rules
(in my example above) and got banned.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list