I'm setting up a fail2ban jail for my Zimbra mail server
I have
cat /etc/fail2ban/jail.local
...
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-ipset-proto6-allports[name=zimbra-recipient]
sendmail[name=zimbra-recipient,
[email protected]]
logpath = /var/log/zimbra.log
loglevel = 2
findtime = 604800
bantime = 604800
maxretry = 3
...
When I test it it looks like it works ok
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/zimbra.conf
Use log file : /var/log/zimbra.log
Results
=======
Failregex: 153 total
|- #) [# of hits] regular expression
| 8) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1
.*: Recipient address rejected:.*$
| 9) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 450 4.1.8
.*: Sender address rejected: Domain not found;.*$
| 12) [119] NOQUEUE: reject: RCPT from .*\[<HOST>\]: .*TLD not
accepted.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [21334] MONTH Day Hour:Minute:Second
`-
Lines: 21334 lines, 0 ignored, 153 matched, 21181 missed
Missed line(s):: too many to print. Use --print-all-missed to
print all 21181 lines
And I get the results added in the ipset
ipset -L fail2ban-zimbra-recipient
Name: fail2ban-zimbra-recipient
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 17944
References: 1
Members:
104.140.56.134 timeout 371
104.140.56.136 timeout 372
104.140.56.132 timeout 371
104.140.56.119 timeout 374
104.140.56.142 timeout 375
107.158.235.5 timeout 373
104.194.243.124 timeout 372
107.158.247.150 timeout 372
104.140.56.117 timeout 374
107.158.235.6 timeout 374
104.140.56.115 timeout 374
95.211.141.219 timeout 374
104.194.243.123 timeout 373
104.140.56.130 timeout 371
107.158.235.4 timeout 373
88.198.107.34 timeout 375
107.158.247.148 timeout 376
104.194.243.126 timeout 373
But if I just restart fail2ban It wipes all those out, and doesn't rescan them
service fail2ban restart
* Restarting authentication failure monitor fail2ban
WARNING 'actioncheck' not defined in 'Definition'. Using
default one: ''
...done.
ipset -L fail2ban-zimbra-recipient
Name: fail2ban-zimbra-recipient
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16504
References: 1
Members:
If I redo the
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf
the addresses all get re-added to the ipset -- until the next fail2ban restart.
I thought on restart fail2ban was supposed to rescan the logs it uses, and
readd results.
Did I misconfigured something? I'm not really sure what to look for the
problem even -- I thought I followed the docs. I'd appreciate a suggestion!
Roger
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
