Unless you give the results to the command "iptables -nvL" when you run your testing is very hard to comment on why a rule as failed to apply as we don't know what is in iptables. Doing an iptables ... | grep ... yields a bit of info - it shows the jails exist - but it does not show what is in the jails.
On 2015-10-01 16:05, Harrison Johnson wrote: > What version of Fail2ban are you using? > > On Thu, 2015-10-01 at 11:34 -0300, Christian Schmitz wrote: > > Well i look somethings, if i run the command as i see in the fail2ban > log > seem like does not exist fail2ban jail into iptables. > 1)I see that: > #iptables -n -L INPUT | grep -q 'fail2ban-sasl' > show a empty result. > > 2) But one update, if i remove the "-q" to the grep yes i can see the > jails > into iptables: > > schweb:~ # iptables -L | grep 'fail2ban' > fail2ban-BadBots tcp -- anywhere anywhere multiport dports http,https > fail2ban-courierlogin tcp -- anywhere anywhere multiport dports > smtp,pop3,imap,urd,submission,imaps,pop3s > fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports > http,https > fail2ban-sasl all -- anywhere anywhere > Chain fail2ban-BadBots (1 references) > Chain fail2ban-apache-overflows (1 references) > Chain fail2ban-courierlogin (1 references) > Chain fail2ban-sasl (1 references) > > 3)if i run manually the command that i see in the log of fail2ban: > #iptables -D fail2ban-sasl -s 183.23.137.84 -j REJECT --reject-with > icmp-port-unreachable > The answer is: > iptables: No chain/target/match by that name. > > Tere are some wrong in the iptables command executed by fail2ban? > > Best Regards > Christian > > El Jue 01 Oct 2015, Christian Schmitz escribió: >> Well i look some: >> seem like does not exist fail2ban jail into iptables. >> 1)I see that: >> #iptables -n -L INPUT | grep -q 'fail2ban-sasl' >> show a empty result. >> >> 2)So as i see in the log that fail2ban run: >> #iptables -D INPUT -p all -j fail2ban-sasl >> So i run it manually. And the command end without error or warning > or other >> message. >> >> 3)I repeat the step 1 and again fail2ban-sasl does not exist. >> >> I imagine that the problem of fail2ban is caused by iptables. >> >> ¿How i can correct this on suse with susefirewall running? >> >> Best Regards >> Christian >> >> El Mié 30 Sep 2015, Christian Schmitz escribió: >> > curiosly SQLITE was not installed on the system, i install it (and > not >> > restart fail2ban because other work emergencys ) and today a new > IP >> > match. >> > >> > And i see in the "fail2ban.log" >> > 2015-09-30 10:00:57,559 fail2ban.actions[11801]: WARNING > [sasl-iptables] >> > Ban 181.165.107.42 >> > 2015-09-30 10:24:50,922 fail2ban.actions.action[11801]: ERROR > iptables >> > -D INPUT -p tcp -m multiport --dports 80,443 -j > fail2ban-apache-overflows >> > iptables -F fail2ban-apache-overflows >> > iptables -X fail2ban-apache-overflows returned 100 >> > 2015-09-30 10:24:51,698 fail2ban.actions.action[11801]: ERROR > iptables >> > -D INPUT -p tcp -m multiport --dports http,https -j > fail2ban-BadBots >> > iptables -F fail2ban-BadBots >> > iptables -X fail2ban-BadBots returned 100 >> > 2015-09-30 10:24:52,062 fail2ban.actions.action[11801]: ERROR > iptables >> > -D INPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 > -j >> > fail2ban-courierlogin >> > iptables -F fail2ban-courierlogin >> > iptables -X fail2ban-courierlogin returned 100 >> > 2015-09-30 10:24:52,477 fail2ban.actions[11801]: WARNING > [sasl-iptables] >> > Unban 181.165.107.42 >> > 2015-09-30 10:24:52,494 fail2ban.actions.action[11801]: ERROR > iptables >> > -n -L INPUT | grep -q 'fail2ban-sasl[ t]' returned 100 >> > 2015-09-30 10:24:52,495 fail2ban.actions.action[11801]: ERROR > Invariant >> > check failed. Trying to restore a sane environment >> > 2015-09-30 10:24:52,514 fail2ban.actions.action[11801]: ERROR > iptables >> > -D INPUT -p all -j fail2ban-sasl >> > iptables -F fail2ban-sasl >> > iptables -X fail2ban-sasl returned 100 >> > 2015-09-30 10:24:52,563 fail2ban.actions.action[11801]: ERROR > iptables >> > -D fail2ban-sasl -s 181.165.107.42 -j REJECT --reject-with >> > icmp-port-unreachable returned 100 >> > 2015-09-30 10:25:22,304 fail2ban.filter [16433]: WARNING Unable to > find a >> > corresponding IP address for unknown: [Errno -2] Name or service > not >> > known 2015-09-30 10:25:23,629 fail2ban.filter [16433]: WARNING > Unable to >> > find a corresponding IP address for unknown: [Errno -2] Name or > service >> > not known >> > >> > note: The last line is repeated 176 times. >> > When i run IPTABLES -L i se listed as rejected under fail2ban. >> > >> > My iptables is very basic and zero without help of google. I can >> > understand a rule when i see it, but i cant write my own rule. >> > >> > The unban works fine ( was a false positive) >> > >> > 2015-09-30 10:31:22,936 fail2ban.actions[16433]: WARNING > [sasl-iptables] >> > Ban 181.165.107.42 >> > 2015-09-30 10:47:06,476 fail2ban.actions[16433]: WARNING > [sasl-iptables] >> > Unban 181.165.107.42 >> > >> > Best Regards and thanks you >> > for your help >> > >> > Christian >> > >> > El Mar 29 Sep 2015, Nick Howitt escribió: >> > > I've had a couple of issues in the past. >> > > >> > > The first issue is that every time the firewall restarted all > jail >> > > sections got wiped. With my distro (ClearOS) firewall restarts > happened >> > > quite a lot with things like background updates outside the > user's >> > > direct control. Editing of rules through their webconfig did the > same. >> > > It meant I had to reload fail2ban every time the firewall > reloaded. In >> > > ClearOS there is a mechanism for running commands after a > firewall >> > > restart so I used that. >> > > >> > > You can check for this by doing an "iptables -nvL" from the > command >> > > line. You should see your jails (like fail2ban-sasl), probably > at the >> > > bottom of your listing. >> > > >> > > The second issue was from rule errors. It is worth trying to > manually >> > > execute the rule which f2b is trying to execute. I can't > remember how I >> > > reconstructed the rule but you should find the basis of it in >> > > fail2ban/actions and it changed between 0.8.x and 0.9.x. 0.9.x > can be >> > > harder to work out because of the way the set up uses defaults > and >> > > overrides (but it removes a lots of rule/action duplication) >> > > >> > > Nick >> > > >> > > The other issue was from the definition of >> > > >> > > On 2015-09-29 14:01, Harrison Johnson wrote: >> > > > Sorry about that I had to feed the cat. >> > > > Christian it looks like you have more than a 100 fail2ban-sasl > jumps >> > > > in your rule set. If you don't have any sqlite3 failures in > you log >> > > > file then all you need to do is put the hump rule in the > correct >> > > > place. If you do have a sqlite3 problem then you just don't > use it. >> > > > Either way the first step is to stop fail2ban. Then flush and > restore >> > > > your iptables rule set. How comfortable are you with iptables? >> > > > >> > > > On Tue, 2015-09-29 at 09:00 -0300, Christian Schmitz wrote: >> > > > >> > > > Hi everyone: >> > > > I need know why fail2ban is not banning IP. The Fail2ban is > runing, >> > > > the jail >> > > > active, and detect it: >> > > > I receive the email: >> > > > Hi, >> > > > The IP 120.146.197.161 has just been banned by Fail2Ban after >> > > > 3 attempts against sasl. >> > > > ........... >> > > > But even if "fail2ban-client status sasl-iptables" report the > IP as >> > > > blocked >> > > > sasli see the hacking try persist onto the mail logs: >> > > > >> > > > postfix/smtpd[3676]: lost connection after AUTH from >> > > > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] >> > > > schweb postfix/smtpd[3676]: disconnect from >> > > > CPE-120-146-197-161.static.vic.bigpond.net.au[120.146.197.161] >> > > > >> > > > If i look on fail2ban.log: >> > > > 2015-09-27 01:26:16,167 fail2ban.actions[9478]: WARNING >> > > > [sasl-iptables] Ban >> > > > 120.146.197.161 >> > > > 2015-09-27 01:26:16,187 fail2ban.actions.action[9478]: ERROR > iptables >> > > > -n -L >> > > > INPUT | grep -q 'fail2ban-sasl[ t]' returned 100 >> > > > 2015-09-27 01:26:16,188 fail2ban.actions.action[9478]: ERROR >> > > > Invariant check >> > > > failed. Trying to restore a sane environment >> > > > 2015-09-27 01:26:16,207 fail2ban.actions.action[9478]: ERROR > iptables >> > > > -D >> > > > INPUT -p all -j fail2ban-sasl >> > > > iptables -F fail2ban-sasl >> > > > iptables -X fail2ban-sasl returned 100 >> > > > >> > > > How i can solve it? >> > > > >> > > > Best Regards >> > > > Christian Schmitz >> > > > >> > > > >> > > > > --------------------------------------------------------------------- >> > > >-- -- ----- >> > > > >> > > > _______________________________________________ >> > > > Fail2ban-users mailing list >> > > > [email protected] >> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > [1] >> > > >> > > > ----------------------------------------------------------------------- >> > >-- -- --- _______________________________________________ >> > > Fail2ban-users mailing list >> > > [email protected] >> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users [1] > > > > Links: > ------ > [1] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
