On 2020-05-06 15:31 BST, Jozsef Kadlecsik wrote: > Maybe the fail2ban rule is applied both for http and https, while the > rule with the ipset matching is http only? The log file that fail2ban monitors is the log for http requests only. No other service writes to that log. The ipset is for http only. I'm unclear about the import of your question though: by the time of the http request at 04:22 fail2ban had done its thing and was no longer involved. fail2ban had put the address into the ipset but netfilter, for reasons I don't understand, apparently ignored it. -- Nick
