https://bugzilla.redhat.com/show_bug.cgi?id=1242146
Patrick Sefton <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] -- You are receiving this mail because: You reported the bug. On Thu, 2015-07-30 at 08:57 +0000, Richard Mealing wrote: > Hi, > > I'm still experiencing problems. Fail2ban crashes, when I run > /usr/local/etc/rc.d/fail2ban status - shows as 'not running'. > I then change fail2ban.conf to dbfile = None and it works. No crashes at all. > > I also have to 'usedns = no' or I get many issues with 0.0.x.x IP addresses > that are not even in my maillog. Maybe this is something to do with invalid > ptr? > > This config seems to work ok, but I always see issues with IP addresses that > just don't turn up in the logs. Or if I use fail2ban.sqlite3 db it shows in > the logs as 'Found x.x.x.x' but then I do ipfw table 1 list | grep x.x.x.x > and there is nothing. > For example - > > 2015-07-30 07:22:11,233 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:22:11,234 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:22:17,604 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:22:17,605 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:47,653 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:47,654 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:48,396 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:48,396 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:51,775 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:27:51,775 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:31:00,757 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:32:48,125 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:32:48,126 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:40:04,709 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 07:40:04,710 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:29,693 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:29,694 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:32,765 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:32,766 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:40,946 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:40,947 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:50,987 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:50,988 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:55,744 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:39:55,744 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:40:02,841 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:40:02,842 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:40:20,869 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > 2015-07-30 09:40:20,870 fail2ban.filter [70889]: INFO [sendmail] > Found 118.80.72.181 > > Here's a snippet from my mail log - > > Jul 30 09:46:22 th41-mailfilter-v4 smf-spf[82404]: SPF none: 118.80.72.181, > [118.80.72.181], 181.72.80.118.adsl-pool.sx.cn, <[email protected]> > Jul 30 09:46:22 th41-mailfilter-v4 smf-spf[82404]: SPF none: 118.80.72.181, > [118.80.72.181], 181.72.80.118.adsl-pool.sx.cn, <[email protected]> > Jul 30 09:46:22 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: > ruleset=check_rcpt, arg1=<[email protected]>, > relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), > reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient > Jul 30 09:46:23 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: > ruleset=check_rcpt, arg1=<[email protected]>, > relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), > reject=550 5.2.1 <[email protected]>... Mailbox disabled for this recipient > Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999]: t6U8jfci084999: > ruleset=check_rcpt, arg1=<[email protected]>, > relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), > reject=550 5.2.1 <[email protected]>... Mailbox disabled for this > recipient > > Here's the test - > > fail2ban-regex 'Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999]: > t6U8jfci084999: ruleset=check_rcpt, arg1=<[email protected]>, > relay=181.72.80.118.adsl-pool.sx.cn [118.80.72.181] (may be forged), > reject=550 5.2.1 <[email protected]>... Mailbox disabled for this > recipient' /usr/local/etc/fail2ban/filter.d/mailboxdisabled.conf > > Running tests > ============= > > Use failregex filter file : mailboxdisabled, basedir: > /usr/local/etc/fail2ban > Use single line : Jul 30 09:46:24 th41-mailfilter-v4 sm-mta-in[84999... > > > Results > ======= > > Failregex: 1 total > |- #) [# of hits] regular expression > | 2) [1] \[<HOST>\].*Mailbox disabled for this recipient > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? > `- > > Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec] > > > ipfw table 1 list | grep 118.80.72.181 > # > # > > > I never got this problem with older versions of fail2ban. > > pkg info | grep fail > py27-fail2ban-0.9.2 Scans log files and bans IP that makes too > many password failures > uname -a > FreeBSD th41-mailfilter-v4.fast.net.uk 10.1-RELEASE-p10 FreeBSD > 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015 > [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 > > Here's my config in case you need it (I've taken out a couple of /24 subnets > from my 'addignoreip' - Also yes I want to ban instantly, hence the > 'maxretry' 0) - > > fail2ban-client -d > ['set', 'syslogsocket', 'auto'] > ['set', 'logtarget', '/var/log/fail2ban.log'] > ['set', 'loglevel', 'INFO'] > ['set', 'dbpurgeage', 86400] > ['set', 'dbfile', 'None'] > ['add', 'sendmail', 'auto'] > ['set', 'sendmail', 'usedns', 'no'] > ['set', 'sendmail', 'addlogpath', '/var/log/maillog', 'head'] > ['set', 'sendmail', 'maxretry', 0] > ['set', 'sendmail', 'addignoreip', '127.0.0.1/8'] > ['set', 'sendmail', 'logencoding', 'auto'] > ['set', 'sendmail', 'bantime', 604800] > ['set', 'sendmail', 'ignorecommand', ''] > ['set', 'sendmail', 'findtime', 604800] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] .*to MTA'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.*\\.\\.\\. Relaying > denied'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\), > reject.* Domain of sender'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject\\=451 4.1.8 Domain > of sender address'] > ['set', 'sendmail', 'addfailregex', 'IP name lookup failed \\[<HOST>\\]'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\, discard'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\), > discard'] > ['set', 'sendmail', 'addfailregex', 'send this email <HOST> is blacklisted'] > ['set', 'sendmail', 'addfailregex', '(User unknown)\\n* \\[<HOST>\\]'] > ['set', 'sendmail', 'addfailregex', 'badlogin: .* \\[<HOST>\\] plaintext .* > SASL'] > ['set', 'sendmail', 'addfailregex', 'Infected message .* came from <HOST>'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\] \\(may be forged\\)\\, > reject\\=452 4.3.2 Connection rate limit exceeded.'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Rejected'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Relaying > temporarily denied'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\,\\ reject\\=452 4.3.2 > Connection rate limit exceeded.'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\], reject.* Rejected'] > ['set', 'sendmail', 'addfailregex', 'Infected message .* came from <HOST>'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\]\\: possible SMTP attack\\:'] > ['set', 'sendmail', 'addfailregex', 'Rejected\\, look at http.*ip\\=<HOST>'] > ['set', 'sendmail', 'addfailregex', 'SPF fail\\: <HOST>'] > ['set', 'sendmail', 'addfailregex', 'relay\\=\\[<HOST>\\].*Mailbox disabled > for this recipient'] > ['set', 'sendmail', 'addfailregex', '\\[<HOST>\\].*Mailbox disabled for this > recipient'] > ['set', 'sendmail', 'addignoreregex', '127.0.0.1'] > ['set', 'sendmail', 'addaction', 'bsd-ipfw'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionban', 'e=`ipfw table <table> > add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: > setsockopt(IP_FW_TABLE_XADD): File exists\' ] || { echo "$e" 1>&2; exit $x; > }'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f > <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete > $num <br> rm "<startstatefile>" )'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show | fgrep > -q \'table(<table>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 <= b) { > b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }\'; > num=$?; ipfw -q add $num <blocktype> <block> from table\\(<table>\\) to me > <port>; echo $num > "<startstatefile>" )'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'actionunban', 'e=`ipfw table > <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: > setsockopt(IP_FW_TABLE_XDEL): No such process\' ] || { echo "$e" 1>&2; exit > $x; }'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'actioncheck', ''] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'protocol', 'tcp'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'name', 'sendmail'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'chain', 'INPUT'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'startstatefile', > '/var/run/fail2ban/ipfw-started-table_<table>'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'table', '1'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'blocktype', 'unreach port'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'port', '0:65535'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'block', 'ip'] > ['set', 'sendmail', 'action', 'bsd-ipfw', 'bantime', '604800'] > ['add', 'mailboxdisabled', 'auto'] > ['set', 'mailboxdisabled', 'usedns', 'no'] > ['set', 'mailboxdisabled', 'addlogpath', '/var/log/maillog', 'head'] > ['set', 'mailboxdisabled', 'maxretry', 0] > ['set', 'mailboxdisabled', 'addignoreip', '127.0.0.1/8'] > ['set', 'mailboxdisabled', 'logencoding', 'auto'] > ['set', 'mailboxdisabled', 'bantime', 604800] > ['set', 'mailboxdisabled', 'ignorecommand', ''] > ['set', 'mailboxdisabled', 'findtime', 604800] > ['set', 'mailboxdisabled', 'addfailregex', 'relay\\=\\[<HOST>\\].*Mailbox > disabled for this recipient'] > ['set', 'mailboxdisabled', 'addfailregex', '\\[<HOST>\\].*Mailbox disabled > for this recipient'] > ['set', 'mailboxdisabled', 'addignoreregex', '127.0.0.1'] > ['set', 'mailboxdisabled', 'addaction', 'bsd-ipfw'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionban', 'e=`ipfw table > <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: > setsockopt(IP_FW_TABLE_XADD): File exists\' ] || { echo "$e" 1>&2; exit $x; > }'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f > <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete > $num <br> rm "<startstatefile>" )'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show | > fgrep -q \'table(<table>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 > <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b > }\'; num=$?; ipfw -q add $num <blocktype> <block> from table\\(<table>\\) to > me <port>; echo $num > "<startstatefile>" )'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actionunban', 'e=`ipfw > table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = \'ipfw: > setsockopt(IP_FW_TABLE_XDEL): No such process\' ] || { echo "$e" 1>&2; exit > $x; }'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'actioncheck', ''] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'protocol', 'tcp'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'name', 'mailboxdisabled'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'chain', 'INPUT'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'startstatefile', > '/var/run/fail2ban/ipfw-started-table_<table>'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'table', '1'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'blocktype', 'unreach port'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'port', '0:65535'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'block', 'ip'] > ['set', 'mailboxdisabled', 'action', 'bsd-ipfw', 'bantime', '604800'] > ['start', 'sendmail'] > ['start', 'mailboxdisabled'] > > > Am I doing something wrong? > > > Thanks, > Rich > > -----Original Message----- > From: Matthias Fechner [mailto:[email protected]] > Sent: 08 May 2015 16:29 > To: Christoph Theis <[email protected]>; Patrick Gibson <[email protected]> > Cc: [email protected] > Subject: Re: [Fail2ban-users] Fail2ban just stops on FreeBSD > > Am 08.05.2015 um 09:23 schrieb Christoph Theis: > > fail2ban 0.9.2 is now available for FreeBSD. > > great news, I have upgrade all my servers, lets see what the logfiles will > tell me the next days. > > Gruß > Matthias >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
