|
So what is the output of "iptables -nvL"? On 30/09/2015 17:01, Christian Schmitz
wrote:
curiosly SQLITE was not installed on the system, i install it (and not restart fail2ban because other work emergencys ) and today a new IP match.And i see in the "fail2ban.log" 2015-09-30 10:00:57,559 fail2ban.actions[11801]: WARNING [sasl-iptables] Ban 181.165.107.42 2015-09-30 10:24:50,922 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows iptables -F fail2ban-apache-overflows iptables -X fail2ban-apache-overflows returned 100 2015-09-30 10:24:51,698 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-BadBots iptables -F fail2ban-BadBots iptables -X fail2ban-BadBots returned 100 2015-09-30 10:24:52,062 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -j fail2ban-courierlogin iptables -F fail2ban-courierlogin iptables -X fail2ban-courierlogin returned 100 2015-09-30 10:24:52,477 fail2ban.actions[11801]: WARNING [sasl-iptables] Unban 181.165.107.42 2015-09-30 10:24:52,494 fail2ban.actions.action[11801]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-sasl[ \t]' returned 100 2015-09-30 10:24:52,495 fail2ban.actions.action[11801]: ERROR Invariant check failed. Trying to restore a sane environment 2015-09-30 10:24:52,514 fail2ban.actions.action[11801]: ERROR iptables -D INPUT -p all -j fail2ban-sasl iptables -F fail2ban-sasl iptables -X fail2ban-sasl returned 100 2015-09-30 10:24:52,563 fail2ban.actions.action[11801]: ERROR iptables -D fail2ban-sasl -s 181.165.107.42 -j REJECT --reject-with icmp-port-unreachable returned 100 2015-09-30 10:25:22,304 fail2ban.filter [16433]: WARNING Unable to find a corresponding IP address for unknown: [Errno -2] Name or service not known 2015-09-30 10:25:23,629 fail2ban.filter [16433]: WARNING Unable to find a corresponding IP address for unknown: [Errno -2] Name or service not known note: The last line is repeated 176 times. When i run IPTABLES -L i se listed as rejected under fail2ban. My iptables is very basic and zero without help of google. I can understand a rule when i see it, but i cant write my own rule. The unban works fine ( was a false positive) 2015-09-30 10:31:22,936 fail2ban.actions[16433]: WARNING [sasl-iptables] Ban 181.165.107.42 2015-09-30 10:47:06,476 fail2ban.actions[16433]: WARNING [sasl-iptables] Unban 181.165.107.42 Best Regards and thanks you for your help Christian El Mar 29 Sep 2015, Nick Howitt escribió:I've had a couple of issues in the past. The first issue is that every time the firewall restarted all jail sections got wiped. With my distro (ClearOS) firewall restarts happened quite a lot with things like background updates outside the user's direct control. Editing of rules through their webconfig did the same. It meant I had to reload fail2ban every time the firewall reloaded. In ClearOS there is a mechanism for running commands after a firewall restart so I used that. You can check for this by doing an "iptables -nvL" from the command line. You should see your jails (like fail2ban-sasl), probably at the bottom of your listing. The second issue was from rule errors. It is worth trying to manually execute the rule which f2b is trying to execute. I can't remember how I reconstructed the rule but you should find the basis of it in fail2ban/actions and it changed between 0.8.x and 0.9.x. 0.9.x can be harder to work out because of the way the set up uses defaults and overrides (but it removes a lots of rule/action duplication) Nick The other issue was from the definition of On 2015-09-29 14:01, Harrison Johnson wrote:Sorry about that I had to feed the cat. Christian it looks like you have more than a 100 fail2ban-sasl jumps in your rule set. If you don't have any sqlite3 failures in you log file then all you need to do is put the hump rule in the correct place. If you do have a sqlite3 problem then you just don't use it. Either way the first step is to stop fail2ban. Then flush and restore your iptables rule set. How comfortable are you with iptables? On Tue, 2015-09-29 at 09:00 -0300, Christian Schmitz wrote: Hi everyone: I need know why fail2ban is not banning IP. The Fail2ban is runing, the jail active, and detect it: I receive the email: Hi, The IP 120.146.197.161 has just been banned by Fail2Ban after 3 attempts against sasl. ........... But even if "fail2ban-client status sasl-iptables" report the IP as blocked sasli see the hacking try persist onto the mail logs: postfix/smtpd[3676]: lost connection after AUTH from CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] schweb postfix/smtpd[3676]: disconnect from CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] If i look on fail2ban.log: 2015-09-27 01:26:16,167 fail2ban.actions[9478]: WARNING [sasl-iptables] Ban 120.146.197.161 2015-09-27 01:26:16,187 fail2ban.actions.action[9478]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-sasl[ t]' returned 100 2015-09-27 01:26:16,188 fail2ban.actions.action[9478]: ERROR Invariant check failed. Trying to restore a sane environment 2015-09-27 01:26:16,207 fail2ban.actions.action[9478]: ERROR iptables -D INPUT -p all -j fail2ban-sasl iptables -F fail2ban-sasl iptables -X fail2ban-sasl returned 100 How i can solve it? Best Regards Christian Schmitz ------------------------------------------------------------------------- ----- _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users--------------------------------------------------------------------------- --- _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
