# fail2ban + iptables "already banned"

## Philippe23

Hey, I'm looking for suggestions of what I might have misconfigured.  I get a fair amount of these from fail2ban: *Quote:*   

> Feb 28 12:15:01 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 49.48.2.132 already banned
> 
> Feb 28 12:50:50 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 113.193.130.89 already banned
> 
> Feb 28 18:46:56 localhost fail2ban.actions[4327]: INFO [courier-iptables] 95.163.107.210 already banned

 I get them for pretty much all of my jail rules.  Here's my jail.local, minus the comments: *Quote:*   

> [DEFAULT]
> 
> ignoreip = 127.0.0.1
> 
> bantime  = 28800
> ...

 And my iptables INPUT chain: *Quote:*   

> Chain INPUT (policy DROP)
> 
> target     prot opt source               destination
> 
> fail2ban-COURIER  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
> ...

 Anybody see what I'm missing?

----------

## 666threesixes666

your perception is what is off.....  the ip is already banned, and they are attacking more, and fail2ban is trying to ban them again but they are already banned.

----------

## Philippe23

That sure makes it sound like something is wrong, since they shouldn't be able to try again ... they're banned.  It appears the ban is not being very effective for some reason in my setup.

----------

## 666threesixes666

mmmm this brings up the point that our fail2ban wiki article need sites to provide test attacks.....  you fix it, im sick of fixing that thing...

----------

## Hu

If you suspect something is wrong with your filter rules, then please show them.  Use iptables-save -c.

----------

## Philippe23

I think I figured it out.  Since I had multiple iptables actions for each rule, but they all had the same name, but different ports.  I think that was causing only the first (or last) being created.  I switched to iptables-multiport instead.  I'm going to see how that goes.

----------

## Philippe23

Yeah, that seemed to have fixed it.  I haven't had an already banned message since I made the change 20+ days ago.

----------

## 666threesixes666

migrate to sshguard, fail2ban is producing false negatives.....  i made a wiki of sshguard

https://wiki.gentoo.org/wiki/Sshguard

----------

