The same ip hits about once every minute, failing and filling up my log... That was the reason I tried Fail2ban...
-----Original Message----- From: Bill Shirley [mailto:bshir...@openmri-scottsboro.com] Sent: Saturday, December 12, 2015 8:37 PM To: fail2ban-users@lists.sourceforge.net Subject: Re: [Fail2ban-users] Fail2ban not executing action I don't see any errors in your configuration. Could it be you don't have 20 hits within one hour for the same IP address? Bill On 12/12/2015 10:48 PM, Brad wrote: > I have installed Fail2ban on Centos 6.7 and configured it to handled > failed login attempts to dovecot. I tried to configure it based on various different directions on the web, but no luck. > > It appears the filter is working correctly, but the action never seems > to get executed > > fail2ban-client status dovecot-pop3imap > > ---------------------------------------------------------------- > > Status for the jail: dovecot-pop3imap > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 9 > > | `- File list: /var/log/maillog > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > ================================================================ > > fail2ban-client -d > > ---------------------------------------------------------------- > > ['set', 'syslogsocket', 'auto'] > > ['set', 'loglevel', 'INFO'] > > ['set', 'logtarget', '/var/log/fail2ban'] > > ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] > > ['set', 'dbpurgeage', 86400] > > ['add', 'dovecot-pop3imap', 'auto'] > > ['set', 'dovecot-pop3imap', 'usedns', 'warn'] > > ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head'] > > ['set', 'dovecot-pop3imap', 'maxretry', 20] > > ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8'] > > ['set', 'dovecot-pop3imap', 'logencoding', 'auto'] > > ['set', 'dovecot-pop3imap', 'bantime', 172800] > > ['set', 'dovecot-pop3imap', 'ignorecommand', ''] > > ['set', 'dovecot-pop3imap', 'findtime', 3600] > > ['set', 'dovecot-pop3imap', 'addfailregex', '(?: > pop3-login|imap-login): .*(?:Authentication failure|Aborted login > \\(auth > failed|Aborted login \\(tried to use disabled|Disconnected \\(auth > failed|failed|Aborted login \\(\\d+ authentication > attempts).*rip=(?P<host>\\S*),.*'] > > ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport > --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X > f2b-<name>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j > <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport > --dports <port> -j f2b-<name>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ > \\t]'"] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'iptables', 'iptables <lockingopt>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/chain', 'INPUT'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/lockingopt', ''] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'protocol', 'tcp'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name', > 'dovecot-pop3imap'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', > 'INPUT'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/__name__', 'Init'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/protocol', 'tcp'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/port', 'ssh'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/returntype', 'RETURN'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/iptables', 'iptables <lockingopt>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'lockingopt', ''] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/name', 'default'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'returntype', 'RETURN'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port', > 'pop3,pop3s,imap,imaps'] > > ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', > 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by > Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is > more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing > whois program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f > <sender> <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', > 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been > stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> > <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstart', > 'printf %b "Subject: [Fail2Ban] <name>: started on `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started > successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f > <sender> <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionunban', > ''] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actioncheck', > ''] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name', > 'dovecot-pop3imap'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/sender', 'fail2ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest', > 'serverm...@myserver.com'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/__name__', 'Init'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/sendername', 'Fail2Ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest', > 'root'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername', > 'Fail2Ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender', > 'fail2ban'] > > ['start', 'dovecot-pop3imap'] > > ================================================================ > > Relevant part of jail.local > > ---------------------------------------------------------------- > > [dovecot-pop3imap] > > enabled = true > > filter = dovecot-pop3imap > > port = pop3,pop3s,imap,imaps > > action = iptables-multiport[name=dovecot-pop3imap, > port="pop3,pop3s,imap,imaps", protocol=tcp] > > sendmail-whois[name=dovecot-pop3imap, > dest=serverm...@myserver.com] > > logpath = /var/log/maillog > > maxretry = 20 > > findtime = 3600 > > bantime = 172800 > > ================================================================ > > fail2ban-regex /var/log/maillog > /etc/fail2ban/filter.d/dovecot-pop3imap.conf > > ---------------------------------------------------------------- > > Running tests > > ============= > > Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban > > Use log file : /var/log/maillog > > Use encoding : UTF-8 > > Results > > ======= > > Failregex: 927 total > > |- #) [# of hits] regular expression > > | 1) [927] (?: pop3-login|imap-login): .*(?:Authentication > | failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication > disabled|attempts).*rip=(?P<host>\S*),.* > > `- > > Ignoreregex: 0 total > > Date template hits: > > |- [# of hits] date format > > | [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? > > `- > > Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed in > 3.86 sec] > > Missed line(s): too many to print. Use --print-all-missed to print > all 27967 lines > > ================================================================ > > No errors appear in the fail2ban log, even on Debug level of logging. > > Email seems to work fine for the shutdown and startup of Fail2ban > > Any ideas on why this may be happening? > > Did I overlook something or is there a typo in my work? > > Fail2ban version v0.9.3 > > CentOS release 6.7 (Final) > > Thanks!! > > > > ---------------------------------------------------------------------- > -------- > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ---------------------------------------------------------------------------- -- _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
