Re: [Fail2ban-users] fail2ban not actually banning IP addresses

Wed, 09 Sep 2015 04:11:13 -0700 

On Tue, Sep 08, 2015 at 11:17:07AM -0700, Paul Dillon wrote:
> John,
> 
> Thanks for your reply. I guess fail2ban is working correctly. When I 
> researched
> the issue further, I see that (in some instances)  there is a subsequent entry
> after the ban in the postfix logs. However, I haven’t seen any banned-IPs
> having more than one entry after the ban notice.
> 
> I’m not sure why there would be an extra entry in the logs if the IP is 
> blocked
> at the firewall but it’s not a problem.
> 
> Here’s an example.
> 
> From /var/log/messages
> 
> Sep  8 10:26:33 mail fail2ban.actions[2834]: NOTICE [postfix] Ban 
> xxx.66.110.xx
> 
> From /var/log/maillog
> 
> Sep  8 10:31:34 mail postfix/smtpd[27076]: timeout after DATA from unknown
> [xxx.66.110.xx]
> Sep  8 10:31:34 mail postfix/smtpd[27076]: disconnect from unknown
> [xxx.66.110.xx]

Ah, that's normal. When Fail2ban bans an IP, it creates a rule blocking
that IP from making a new connection. What it DOESN'T do is:

 * stop established connections (which means that if you have an attacker
   connected to some service, cracking passwords, they may continue to
   attempt passwords unless the service disconnects them after X failed
   attempts)

 * kick the user from the service

Now, it IS possible to add actions to do this (depending on the service.
There might be some sort of "kick" or "kill-user" action which you can
perform, or you might just configure the service to kick the user after
X failures).

In your case, it looks like the communications DO stop after the ban and
postfix is just letting you know that it gave up waiting for the banned
user to continue talking.



> 
>  
> 
> From: John Fawcett [mailto:[email protected]]
> Sent: Sunday, September 6, 2015 12:55 PM
> To: [email protected]
> Subject: Re: [Fail2ban-users] fail2ban not actually banning IP addresses
> 
>  
> 
> Paul
> 
> the tables look ok.
> 
> can you give an example of what is being logged and how long it happens after
> the ban?
> 
> best regards,
> John
> 
> On 09/06/2015 09:16 PM, Paul Dillon wrote:
> 
>     Hi,
> 
>      
> 
>     This is probably a simple error on my part but I can’t get fail2ban to
>     block IP addresses listed in iptables.
> 
>      
> 
>     CentOS release 6.7 (Final)
> 
>     Fail2ban 0.9.2-1.el6
> 
>      
> 
>     I have edited jail.local (only enabling postfix, dovecot and postfix-sasl
>     and changing ban time to 3600). Fail2ban is detecting offenders and 
> editing
>     iptables. However, during the ban period, the offending IP addresses are
>     still showing up in /var/log/maillog.
> 
>      
> 
>     Prior to installing fail2ban, I had configured the firewall with the
>     terminal use interface (launched by typing “setup” at the command line).
>     The ACCEPT entries for ports 80 thru 587 came from the TUI. My knowledge 
> of
>     iptables is limited but I have learned to add blocking entries above the
>     TUI ACCEPT entries for them to work.
> 
>      
> 
>     So perhaps the fail2ban REJECY entries should be above the ACCEPT entries
>     or maybe fail2ban isn’t restarting the network.
> 
>      
> 
>     If have tried removing the ACCEPT entries for 25 993 995 110 143 587 by
>     stopping fail2ban, saving iptables restarting the network then restarting
>     fail2ban but 25 993 995 110 143 587 are then all blocked by the firewall.
> 
>      
> 
>     What have I done wrong?
> 
>      
> 
>     Regards,
> 
>      
> 
>     -paul
> 
>      
> 
>     [root@mail ~]# iptables -L -n
> 
>     Chain INPUT (policy ACCEPT)
> 
>     target     prot opt source               destination        
> 
>     f2b-postfix-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0          
>     multiport dports 25,465,587,220,993,110,995
> 
>     f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport
>     dports 110,995,143,993,587,465,4190
> 
>     f2b-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport
>     dports 25,465,587
> 
>     ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
>     RELATED,ESTABLISHED
> 
>     ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
> 
>     ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:80
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:443
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:25
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:53
> 
>     ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
>     dpt:53
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:993
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:995
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:xxxxx (my ssh port)
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:110
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:143
> 
>     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
>     dpt:587
> 
>     REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
>     icmp-host-prohibited
> 
>      
> 
>     Chain FORWARD (policy ACCEPT)
> 
>     target     prot opt source               destination        
> 
>     REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
>     icmp-host-prohibited
> 
>      
> 
>     Chain OUTPUT (policy ACCEPT)
> 
>     target     prot opt source               destination        
> 
>      
> 
>     Chain f2b-dovecot (1 references)
> 
>     target     prot opt source               destination        
> 
>     RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
> 
>      
> 
>     Chain f2b-postfix (1 references)
> 
>     target     prot opt source               destination        
> 
>     RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
> 
>      
> 
>     Chain f2b-postfix-sasl (1 references)
> 
>     target     prot opt source               destination        
> 
>     REJECT     all  --  xxx.xxx.xx.125        0.0.0.0/0           reject-with
>     icmp-port-unreachable
> 
>     REJECT     all  --  xx.xx.xxx.60         0.0.0.0/0           reject-with
>     icmp-port-unreachable
> 
>     REJECT     all  --  xxx.xx.xx.234        0.0.0.0/0           reject-with
>     icmp-port-unreachable
> 
>     RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
> 
>      
> 
>    
> 
> 
>     
> ------------------------------------------------------------------------------
> 
>    
> 
> 
>     _______________________________________________
> 
>     Fail2ban-users mailing list
> 
>     [1][email protected]
> 
>     [2]https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
>  
> 
> 
> References:
> 
> [1] mailto:[email protected]
> [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users

> ------------------------------------------------------------------------------

> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


-- 
For more information, please reread.

Attachment: signature.asc
Description: Digital signature

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to