Hi, I'm still experiencing problems. Fail2ban crashes, when I run /usr/local/etc/rc.d/fail2ban status - shows as 'not running'. I then change fail2ban.conf to dbfile = None and it works. No crashes at all.
I also have to 'usedns = no' or I get many issues with 0.0.x.x IP addresses that are not even in my maillog. Maybe this is something to do with invalid ptr? This config seems to work ok, but I always see issues with IP addresses that just don't turn up in the logs. Or if I use fail2ban.sqlite3 db it shows in the logs as 'Found x.x.x.x' but then I do ipfw table 1 list | grep x.x.x.x and there is nothing. For example - 2015-07-30 07:22:11,233 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:22:11,234 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:22:17,604 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:22:17,605 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:47,653 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:47,654 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:48,396 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:48,396 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:51,775 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:27:51,775 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:31:00,757 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:32:48,125 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:32:48,126 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:40:04,709 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 07:40:04,710 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:29,693 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:29,694 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:32,765 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:32,766 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:40,946 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:40,947 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:50,987 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:50,988 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:55,744 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:39:55,744 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:40:02,841 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:40:02,842 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:40:20,869 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 2015-07-30 09:40:20,870 fail2ban.filter [70889]: INFO [sendmail] Found 118.80.72.181 Here's a snippet from my mail log - Jul 30 09:46:22 th41-mailfilter-v4 smf-spf[82404]: SPF none: 118.80.72.181, [118.80.72.181], 181.72.80.118.adsl-pool.sx.cn, <[email protected]> Jul 30 09:46:22 th41-mailfilter-v4 smf-spf[82404]: SPF none: 118.80.72.181, [118.80.72.181], 181.72.80.118.adsl-pool.sx.cn, <[email protected]> Jul 30 09:46:22 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: ruleset=check_rcpt, arg1=<[email protected]>, relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient Jul 30 09:46:23 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: ruleset=check_rcpt, arg1=<[email protected]>, relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: ruleset=check_rcpt, arg1=<[email protected]>, relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient Here's the test - fail2ban-regex 'Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: ruleset=check_rcpt, arg1=<[email protected]>, relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient' /usr/local/etc/fail2ban/filter.d/mailboxdisabled.conf Running tests ============= Use failregex filter file : mailboxdisabled, basedir: /usr/local/etc/fail2ban Use single line : Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 2) [1] \[<HOST>\].*Mailbox disabled for this recipient `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec] ipfw table 1 list | grep 118.80.72.181 # # I never got this problem with older versions of fail2ban. pkg info | grep fail py27-fail2ban-0.9.2 Scans log files and bans IP that makes too many password failures uname -a FreeBSD th41-mailfilter-v4.fast.net.uk 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 Here's my config in case you need it (I've taken out a couple of /24 subnets from my 'addignoreip' - Also yes I want to ban instantly, hence the 'maxretry' 0) - fail2ban-client -d ['set', 'syslogsocket', 'auto'] ['set', 'logtarget', '/var/log/fail2ban.log'] ['set', 'loglevel', 'INFO'] ['set', 'dbpurgeage', 86400] ['set', 'dbfile', 'None'] ['add', 'sendmail', 'auto'] ['set', 'sendmail', 'usedns', 'no'] ['set', 'sendmail', 'addlogpath', '/var/log/maillog', 'head'] ['set', 'sendmail', 'maxretry', 0] ['set', 'sendmail', 'addignoreip', '127.0.0.1/8'] ['set', 'sendmail', 'logencoding', 'auto'] ['set', 'sendmail', 'bantime', 604800] ['set', 'sendmail', 'ignorecommand', ''] ['set', 'sendmail', 'findtime', 604800] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] .*to MTA'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.*\\.\\.\\. Relaying denied'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\), reject.* Domain of sender'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject\\=451 4.1.8 Domain of sender address'] ['set', 'sendmail', 'addfailregex', 'IP name lookup failed \\[<HOST>\\]'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\, discard'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\), discard'] ['set', 'sendmail', 'addfailregex', 'send this email <HOST> is blacklisted'] ['set', 'sendmail', 'addfailregex', '(User unknown)\\n* \\[<HOST>\\]'] ['set', 'sendmail', 'addfailregex', 'badlogin: .* \\[<HOST>\\] plaintext .* SASL'] ['set', 'sendmail', 'addfailregex', 'Infected message .* came from <HOST>'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\)\\, reject\\=452 4.3.2 Connection rate limit exceeded.'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Rejected'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Relaying temporarily denied'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\,\\ reject\\=452 4.3.2 Connection rate limit exceeded.'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Rejected'] ['set', 'sendmail', 'addfailregex', 'Infected message .* came from <HOST>'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\: possible SMTP attack\\:'] ['set', 'sendmail', 'addfailregex', 'Rejected\\, look at http.*ip\\=<HOST>'] ['set', 'sendmail', 'addfailregex', 'SPF fail\\: <HOST>'] ['set', 'sendmail', 'addfailregex', 'relay\\=\\[<HOST>\\].*Mailbox disabled for this recipient'] ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\].*Mailbox disabled for this recipient'] ['set', 'sendmail', 'addignoreregex', '127.0.0.1'] ['set', 'sendmail', 'addaction', 'bsd-ipfw'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionban', 'e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists\' ] || { echo "$e" 1>&2; exit $x; }'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show | fgrep -q \'table(<table>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }\'; num=$?; ipfw -q add $num <blocktype> <block> from table\\(<table>\\) to me <port>; echo $num > "<startstatefile>" )'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionunban', 'e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process\' ] || { echo "$e" 1>&2; exit $x; }'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'actioncheck', ''] ['set', 'sendmail', 'action', 'bsd-ipfw', 'protocol', 'tcp'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'name', 'sendmail'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'chain', 'INPUT'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'startstatefile', '/var/run/fail2ban/ipfw-started-table_<table>'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'table', '1'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'blocktype', 'unreach port'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'port', '0:65535'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'block', 'ip'] ['set', 'sendmail', 'action', 'bsd-ipfw', 'bantime', '604800'] ['add', 'mailboxdisabled', 'auto'] ['set', 'mailboxdisabled', 'usedns', 'no'] ['set', 'mailboxdisabled', 'addlogpath', '/var/log/maillog', 'head'] ['set', 'mailboxdisabled', 'maxretry', 0] ['set', 'mailboxdisabled', 'addignoreip', '127.0.0.1/8'] ['set', 'mailboxdisabled', 'logencoding', 'auto'] ['set', 'mailboxdisabled', 'bantime', 604800] ['set', 'mailboxdisabled', 'ignorecommand', ''] ['set', 'mailboxdisabled', 'findtime', 604800] ['set', 'mailboxdisabled', 'addfailregex', 'relay\\=\\[<HOST>\\].*Mailbox disabled for this recipient'] ['set', 'mailboxdisabled', 'addfailregex', '\\[<HOST>\\].*Mailbox disabled for this recipient'] ['set', 'mailboxdisabled', 'addignoreregex', '127.0.0.1'] ['set', 'mailboxdisabled', 'addaction', 'bsd-ipfw'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionban', 'e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists\' ] || { echo "$e" 1>&2; exit $x; }'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show | fgrep -q \'table(<table>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }\'; num=$?; ipfw -q add $num <blocktype> <block> from table\\(<table>\\) to me <port>; echo $num > "<startstatefile>" )'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionunban', 'e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process\' ] || { echo "$e" 1>&2; exit $x; }'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actioncheck', ''] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'protocol', 'tcp'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'name', 'mailboxdisabled'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'chain', 'INPUT'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'startstatefile', '/var/run/fail2ban/ipfw-started-table_<table>'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'table', '1'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'blocktype', 'unreach port'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'port', '0:65535'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'block', 'ip'] ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'bantime', '604800'] ['start', 'sendmail'] ['start', 'mailboxdisabled'] Am I doing something wrong? Thanks, Rich -----Original Message----- From: Matthias Fechner [mailto:[email protected]] Sent: 08 May 2015 16:29 To: Christoph Theis <[email protected]>; Patrick Gibson <[email protected]> Cc: [email protected] Subject: Re: [Fail2ban-users] Fail2ban just stops on FreeBSD Am 08.05.2015 um 09:23 schrieb Christoph Theis: > fail2ban 0.9.2 is now available for FreeBSD. great news, I have upgrade all my servers, lets see what the logfiles will tell me the next days. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
