I've had a couple of issues in the past. The first issue is that every time the firewall restarted all jail sections got wiped. With my distro (ClearOS) firewall restarts happened quite a lot with things like background updates outside the user's direct control. Editing of rules through their webconfig did the same. It meant I had to reload fail2ban every time the firewall reloaded. In ClearOS there is a mechanism for running commands after a firewall restart so I used that.
You can check for this by doing an "iptables -nvL" from the command line. You should see your jails (like fail2ban-sasl), probably at the bottom of your listing. The second issue was from rule errors. It is worth trying to manually execute the rule which f2b is trying to execute. I can't remember how I reconstructed the rule but you should find the basis of it in fail2ban/actions and it changed between 0.8.x and 0.9.x. 0.9.x can be harder to work out because of the way the set up uses defaults and overrides (but it removes a lots of rule/action duplication) Nick The other issue was from the definition of On 2015-09-29 14:01, Harrison Johnson wrote: > Sorry about that I had to feed the cat. > Christian it looks like you have more than a 100 fail2ban-sasl jumps > in your rule set. If you don't have any sqlite3 failures in you log > file then all you need to do is put the hump rule in the correct > place. If you do have a sqlite3 problem then you just don't use it. > Either way the first step is to stop fail2ban. Then flush and restore > your iptables rule set. How comfortable are you with iptables? > > On Tue, 2015-09-29 at 09:00 -0300, Christian Schmitz wrote: > > Hi everyone: > I need know why fail2ban is not banning IP. The Fail2ban is runing, > the jail > active, and detect it: > I receive the email: > Hi, > The IP 120.146.197.161 has just been banned by Fail2Ban after > 3 attempts against sasl. > ........... > But even if "fail2ban-client status sasl-iptables" report the IP as > blocked > sasli see the hacking try persist onto the mail logs: > > postfix/smtpd[3676]: lost connection after AUTH from > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] > schweb postfix/smtpd[3676]: disconnect from > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] > > If i look on fail2ban.log: > 2015-09-27 01:26:16,167 fail2ban.actions[9478]: WARNING > [sasl-iptables] Ban > 120.146.197.161 > 2015-09-27 01:26:16,187 fail2ban.actions.action[9478]: ERROR iptables > -n -L > INPUT | grep -q 'fail2ban-sasl[ t]' returned 100 > 2015-09-27 01:26:16,188 fail2ban.actions.action[9478]: ERROR Invariant > check > failed. Trying to restore a sane environment > 2015-09-27 01:26:16,207 fail2ban.actions.action[9478]: ERROR iptables > -D > INPUT -p all -j fail2ban-sasl > iptables -F fail2ban-sasl > iptables -X fail2ban-sasl returned 100 > > How i can solve it? > > Best Regards > Christian Schmitz > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
