On 09/09/2015 01:09 PM, Darac Marjal wrote:
> On Tue, Sep 08, 2015 at 11:17:07AM -0700, Paul Dillon wrote:
>> John,
>>
>> Thanks for your reply. I guess fail2ban is working correctly. When I
>> researched
>> the issue further, I see that (in some instances) there is a subsequent
>> entry
>> after the ban in the postfix logs. However, I haven’t seen any banned-IPs
>> having more than one entry after the ban notice.
>>
>> I’m not sure why there would be an extra entry in the logs if the IP is
>> blocked
>> at the firewall but it’s not a problem.
>>
>> Here’s an example.
>>
>> From /var/log/messages
>>
>> Sep 8 10:26:33 mail fail2ban.actions[2834]: NOTICE [postfix] Ban
>> xxx.66.110.xx
>>
>> From /var/log/maillog
>>
>> Sep 8 10:31:34 mail postfix/smtpd[27076]: timeout after DATA from unknown
>> [xxx.66.110.xx]
>> Sep 8 10:31:34 mail postfix/smtpd[27076]: disconnect from unknown
>> [xxx.66.110.xx]
> Ah, that's normal. When Fail2ban bans an IP, it creates a rule blocking
> that IP from making a new connection. What it DOESN'T do is:
>
> * stop established connections (which means that if you have an attacker
> connected to some service, cracking passwords, they may continue to
> attempt passwords unless the service disconnects them after X failed
> attempts)
>
> * kick the user from the service
that's not correct. The fail2ban rule will stop all traffic whether
established or new.
The reason there is the further log entry with timestamp after the
block is that postfix will eventually time out waiting for data
which cannot be received from the blocked ip. The timestamp
of this is when postfix logs the problem. It does not mean that
further traffic has been let through up to that time.
>
> Now, it IS possible to add actions to do this (depending on the service.
> There might be some sort of "kick" or "kill-user" action which you can
> perform, or you might just configure the service to kick the user after
> X failures).
>
> In your case, it looks like the communications DO stop after the ban and
> postfix is just letting you know that it gave up waiting for the banned
> user to continue talking.
>
>
>
>>
>>
>> From: John Fawcett [mailto:[email protected]]
>> Sent: Sunday, September 6, 2015 12:55 PM
>> To: [email protected]
>> Subject: Re: [Fail2ban-users] fail2ban not actually banning IP addresses
>>
>>
>>
>> Paul
>>
>> the tables look ok.
>>
>> can you give an example of what is being logged and how long it happens after
>> the ban?
>>
>> best regards,
>> John
>>
>> On 09/06/2015 09:16 PM, Paul Dillon wrote:
>>
>> Hi,
>>
>>
>>
>> This is probably a simple error on my part but I can’t get fail2ban to
>> block IP addresses listed in iptables.
>>
>>
>>
>> CentOS release 6.7 (Final)
>>
>> Fail2ban 0.9.2-1.el6
>>
>>
>>
>> I have edited jail.local (only enabling postfix, dovecot and postfix-sasl
>> and changing ban time to 3600). Fail2ban is detecting offenders and
>> editing
>> iptables. However, during the ban period, the offending IP addresses are
>> still showing up in /var/log/maillog.
>>
>>
>>
>> Prior to installing fail2ban, I had configured the firewall with the
>> terminal use interface (launched by typing “setup” at the command line).
>> The ACCEPT entries for ports 80 thru 587 came from the TUI. My knowledge
>> of
>> iptables is limited but I have learned to add blocking entries above the
>> TUI ACCEPT entries for them to work.
>>
>>
>>
>> So perhaps the fail2ban REJECY entries should be above the ACCEPT entries
>> or maybe fail2ban isn’t restarting the network.
>>
>>
>>
>> If have tried removing the ACCEPT entries for 25 993 995 110 143 587 by
>> stopping fail2ban, saving iptables restarting the network then restarting
>> fail2ban but 25 993 995 110 143 587 are then all blocked by the firewall.
>>
>>
>>
>> What have I done wrong?
>>
>>
>>
>> Regards,
>>
>>
>>
>> -paul
>>
>>
>>
>> [root@mail ~]# iptables -L -n
>>
>> Chain INPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 25,465,587,220,993,110,995
>>
>> f2b-dovecot tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>> dports 110,995,143,993,587,465,4190
>>
>> f2b-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
>> dports 25,465,587
>>
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>>
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>>
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:80
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:443
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:25
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:53
>>
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> udp
>> dpt:53
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:993
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:995
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:xxxxx (my ssh port)
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:110
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:143
>>
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp
>> dpt:587
>>
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>> icmp-host-prohibited
>>
>>
>>
>> Chain FORWARD (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>> icmp-host-prohibited
>>
>>
>>
>> Chain OUTPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>>
>>
>> Chain f2b-dovecot (1 references)
>>
>> target prot opt source destination
>>
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>>
>> Chain f2b-postfix (1 references)
>>
>> target prot opt source destination
>>
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>>
>> Chain f2b-postfix-sasl (1 references)
>>
>> target prot opt source destination
>>
>> REJECT all -- xxx.xxx.xx.125 0.0.0.0/0 reject-with
>> icmp-port-unreachable
>>
>> REJECT all -- xx.xx.xxx.60 0.0.0.0/0 reject-with
>> icmp-port-unreachable
>>
>> REJECT all -- xxx.xx.xx.234 0.0.0.0/0 reject-with
>> icmp-port-unreachable
>>
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>>
>> _______________________________________________
>>
>> Fail2ban-users mailing list
>>
>> [1][email protected]
>>
>> [2]https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>>
>>
>> References:
>>
>> [1] mailto:[email protected]
>> [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
>
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
