curiosly SQLITE was not installed on the system, i install it (and not restart fail2ban because other work emergencys ) and today a new IP match.
And i see in the "fail2ban.log" 2015-09-30 10:00:57,559 fail2ban.actions[11801]: WARNING [sasl-iptables] Ban 181.165.107.42 2015-09-30 10:24:50,922 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows iptables -F fail2ban-apache-overflows iptables -X fail2ban-apache-overflows returned 100 2015-09-30 10:24:51,698 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-BadBots iptables -F fail2ban-BadBots iptables -X fail2ban-BadBots returned 100 2015-09-30 10:24:52,062 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -j fail2ban-courierlogin iptables -F fail2ban-courierlogin iptables -X fail2ban-courierlogin returned 100 2015-09-30 10:24:52,477 fail2ban.actions[11801]: WARNING [sasl-iptables] Unban 181.165.107.42 2015-09-30 10:24:52,494 fail2ban.actions.action[11801]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-sasl[ \t]' returned 100 2015-09-30 10:24:52,495 fail2ban.actions.action[11801]: ERROR Invariant check failed. Trying to restore a sane environment 2015-09-30 10:24:52,514 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p all -j fail2ban-sasl iptables -F fail2ban-sasl iptables -X fail2ban-sasl returned 100 2015-09-30 10:24:52,563 fail2ban.actions.action[11801]: ERROR iptables -D fail2ban-sasl -s 181.165.107.42 -j REJECT --reject-with icmp-port-unreachable returned 100 2015-09-30 10:25:22,304 fail2ban.filter [16433]: WARNING Unable to find a corresponding IP address for unknown: [Errno -2] Name or service not known 2015-09-30 10:25:23,629 fail2ban.filter [16433]: WARNING Unable to find a corresponding IP address for unknown: [Errno -2] Name or service not known note: The last line is repeated 176 times. When i run IPTABLES -L i se listed as rejected under fail2ban. My iptables is very basic and zero without help of google. I can understand a rule when i see it, but i cant write my own rule. The unban works fine ( was a false positive) 2015-09-30 10:31:22,936 fail2ban.actions[16433]: WARNING [sasl-iptables] Ban 181.165.107.42 2015-09-30 10:47:06,476 fail2ban.actions[16433]: WARNING [sasl-iptables] Unban 181.165.107.42 Best Regards and thanks you for your help Christian El Mar 29 Sep 2015, Nick Howitt escribió: > I've had a couple of issues in the past. > > The first issue is that every time the firewall restarted all jail > sections got wiped. With my distro (ClearOS) firewall restarts happened > quite a lot with things like background updates outside the user's > direct control. Editing of rules through their webconfig did the same. > It meant I had to reload fail2ban every time the firewall reloaded. In > ClearOS there is a mechanism for running commands after a firewall > restart so I used that. > > You can check for this by doing an "iptables -nvL" from the command > line. You should see your jails (like fail2ban-sasl), probably at the > bottom of your listing. > > The second issue was from rule errors. It is worth trying to manually > execute the rule which f2b is trying to execute. I can't remember how I > reconstructed the rule but you should find the basis of it in > fail2ban/actions and it changed between 0.8.x and 0.9.x. 0.9.x can be > harder to work out because of the way the set up uses defaults and > overrides (but it removes a lots of rule/action duplication) > > Nick > > The other issue was from the definition of > > On 2015-09-29 14:01, Harrison Johnson wrote: > > Sorry about that I had to feed the cat. > > Christian it looks like you have more than a 100 fail2ban-sasl jumps > > in your rule set. If you don't have any sqlite3 failures in you log > > file then all you need to do is put the hump rule in the correct > > place. If you do have a sqlite3 problem then you just don't use it. > > Either way the first step is to stop fail2ban. Then flush and restore > > your iptables rule set. How comfortable are you with iptables? > > > > On Tue, 2015-09-29 at 09:00 -0300, Christian Schmitz wrote: > > > > Hi everyone: > > I need know why fail2ban is not banning IP. The Fail2ban is runing, > > the jail > > active, and detect it: > > I receive the email: > > Hi, > > The IP 120.146.197.161 has just been banned by Fail2Ban after > > 3 attempts against sasl. > > ........... > > But even if "fail2ban-client status sasl-iptables" report the IP as > > blocked > > sasli see the hacking try persist onto the mail logs: > > > > postfix/smtpd[3676]: lost connection after AUTH from > > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] > > schweb postfix/smtpd[3676]: disconnect from > > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] > > > > If i look on fail2ban.log: > > 2015-09-27 01:26:16,167 fail2ban.actions[9478]: WARNING > > [sasl-iptables] Ban > > 120.146.197.161 > > 2015-09-27 01:26:16,187 fail2ban.actions.action[9478]: ERROR iptables > > -n -L > > INPUT | grep -q 'fail2ban-sasl[ t]' returned 100 > > 2015-09-27 01:26:16,188 fail2ban.actions.action[9478]: ERROR Invariant > > check > > failed. Trying to restore a sane environment > > 2015-09-27 01:26:16,207 fail2ban.actions.action[9478]: ERROR iptables > > -D > > INPUT -p all -j fail2ban-sasl > > iptables -F fail2ban-sasl > > iptables -X fail2ban-sasl returned 100 > > > > How i can solve it? > > > > Best Regards > > Christian Schmitz > > > > > > ------------------------------------------------------------------------- > >----- > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > --------------------------------------------------------------------------- >--- _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- En un mundo sin fronteras.... ¿Quién necesita Puertas y Ventanas? EN INGLES: In a world without frontiers, who needs Gates and Windows http://www.schdev.com.ar http://gnc2.schdev.com.ar ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
