What version of Fail2ban are you using? Iirc, the rescan stuff wasn't added until 0.9.0
Also, as a general note, it can take some time after restart for bans within the bantime to get re-added (rescan entire log, etc). On 01/19/2015 03:18 PM, [email protected] wrote: > I'm setting up a fail2ban jail for my Zimbra mail server > > I have > > cat /etc/fail2ban/jail.local > > ... > [zimbra-recipient] > enabled = true > filter = zimbra > action = iptables-ipset-proto6-allports[name=zimbra-recipient] > sendmail[name=zimbra-recipient, > [email protected]] > logpath = /var/log/zimbra.log > loglevel = 2 > findtime = 604800 > bantime = 604800 > maxretry = 3 > ... > > When I test it it looks like it works ok > > fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf > > Running tests > ============= > > Use failregex file : /etc/fail2ban/filter.d/zimbra.conf > Use log file : /var/log/zimbra.log > > > Results > ======= > > Failregex: 153 total > |- #) [# of hits] regular expression > | 8) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 > .*: Recipient address rejected:.*$ > | 9) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 450 4.1.8 > .*: Sender address rejected: Domain not found;.*$ > | 12) [119] NOQUEUE: reject: RCPT from .*\[<HOST>\]: .*TLD not > accepted.*$ > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [21334] MONTH Day Hour:Minute:Second > `- > > Lines: 21334 lines, 0 ignored, 153 matched, 21181 missed > Missed line(s):: too many to print. Use --print-all-missed to > print all 21181 lines > > And I get the results added in the ipset > > ipset -L fail2ban-zimbra-recipient > Name: fail2ban-zimbra-recipient > Type: hash:ip > Revision: 2 > Header: family inet hashsize 1024 maxelem 65536 timeout 600 > Size in memory: 17944 > References: 1 > Members: > 104.140.56.134 timeout 371 > 104.140.56.136 timeout 372 > 104.140.56.132 timeout 371 > 104.140.56.119 timeout 374 > 104.140.56.142 timeout 375 > 107.158.235.5 timeout 373 > 104.194.243.124 timeout 372 > 107.158.247.150 timeout 372 > 104.140.56.117 timeout 374 > 107.158.235.6 timeout 374 > 104.140.56.115 timeout 374 > 95.211.141.219 timeout 374 > 104.194.243.123 timeout 373 > 104.140.56.130 timeout 371 > 107.158.235.4 timeout 373 > 88.198.107.34 timeout 375 > 107.158.247.148 timeout 376 > 104.194.243.126 timeout 373 > > But if I just restart fail2ban It wipes all those out, and doesn't rescan them > > service fail2ban restart > * Restarting authentication failure monitor fail2ban > WARNING 'actioncheck' not defined in 'Definition'. Using > default one: '' > ...done. > > ipset -L fail2ban-zimbra-recipient > Name: fail2ban-zimbra-recipient > Type: hash:ip > Revision: 2 > Header: family inet hashsize 1024 maxelem 65536 timeout 600 > Size in memory: 16504 > References: 1 > Members: > > If I redo the > > fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf > > the addresses all get re-added to the ipset -- until the next fail2ban > restart. > > I thought on restart fail2ban was supposed to rescan the logs it uses, and > readd results. > > Did I misconfigured something? I'm not really sure what to look for the > problem even -- I thought I followed the docs. I'd appreciate a suggestion! > > Roger > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
