Re: [Fail2ban-users] Fail2Ban sends mails only once

[kuncho pencho]

Hi,

Could you try to set sender in ssh section in jail.conf?

Yours config is "sendmail-whois[name=ssh, dest=mym...@gmail.com" ,
 here is missing "]" simbol and sender.

Main config is with this line:

sendmail-whois[name=SSH, dest=mym...@example.com, sender=mym...@example.com, 
sendername="Fail2Ban"]

Do you have sshd.conf in jail.d ?








 >-------- Оригинално писмо --------

 >От: "YouGenom ." genomsa...@gmail.com

 >Относно: Re: [Fail2ban-users] Fail2Ban sends mails only once

 >До: kuncho pencho  

 >Изпратено на: 17.01.2016 16:50



 
 
   
    
     
     Hi,
     

     

     I did not get any error message after setting up exim4 (but before that I 
did not get any mail at all anyway). So at the (first,) second and further 
failed logins there are no errors. But I only get the warning mail at the first 
failed login. Here is my configuration file (jail.local) attached.
    

    

    Thanks!
   

    
     
     

      
      On Sun, Jan 17, 2016 at 1:45 PM, kuncho pencho 
        kuncho...@abv.bg >  wrote:
      

       
        
         Hi, 
        

        
Could you paste your jail.conf and jail.d/sshd.conf? Is there an error in 
fail2ban.log?
        

        

        

        
 >-------- Оригинално писмо -------- 
        
 >От: "YouGenom ." 
         genomsa...@gmail.com  
        
 >Относно: [Fail2ban-users] Fail2Ban sends mails only once 
        
 >До: 
         fail2ban-users@lists.sourceforge.net  
        
 >Изпратено на: 17.01.2016 13:39 
        

         
          
          
 
            
             
              
               
               
                Hi, 
               
 
               
 
               I have been trying to set up fail2ban. I have only edited for 
the SSH jail to warn me in case of failed login. Other jails/actions/filters 
are at default. Then I tried from another machine a failed login (6 times with 
wrong password). I have got the mail with whois info. So this is what I was 
expecting. Then I have waited for the ban to expire (10 mins) and retried to 
failed login. I did not get any mail this time. In logs, it was mentioned, that 
a ban was issued for the client IP address. Interestingly, by using another IP 
address (through VPN) I could get again an e-mail warning for the first time 
but not second time. It seems to me fail2ban sends e-mail warning only once per 
IP-address. Moreover, I changed log level to 4 (DEBUG) and ran fail2ban-client 
reload. Then I tried a failed login with the old (once banned) IP address. It 
did not send any mail but I found this in the logs: 
              
 
              
2016-01-17 12:32:08,961 fail2ban.actions.action[21573]: DEBUG

 printf %b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n` 
              
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"` 
              
From: Fail2Ban   
              
To: 
               mym...@gmail.com \n 
              
Hi,\n 
              
The IP 192.168.0.11 has just been banned by Fail2Ban after 
              
6 attempts against ssh.\n\n 
              
Here is more information about 
               192.168.0.11 :\n 
              
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n 
              
Regards,\n 
              
Fail2Ban" | /usr/sbin/sendmail -f fail2ban 
               mym...@gmail.com  
              
2016-01-17 12:32:09,491 fail2ban.actions.action[21573]: DEBUG

 printf %b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n` 
              
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"` 
              
From: Fail2Ban   
              
To: 
               mym...@gmail.com \n 
              
Hi,\n 
              
The IP 192.168.0.11 has just been banned by Fail2Ban after 
              
6 attempts against ssh.\n\n 
              
Here is more information about 
               192.168.0.11 :\n 
              
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n 
              
Regards,\n 
              
Fail2Ban" | /usr/sbin/sendmail -f fail2ban 
               mym...@gmail.com  returned successfully 
              
 
              
 
              I am not sure, if the issue is because of my GMail account 
blocking the mails or is it a feature in Fail2Ban to prevent e-mail flood? 
             
 
             
 
             Best wishes! 
            
 
             
            
          
         
         
       
------------------------------------------------------------------------------
       
 Site24x7 APM Insight: Get Deep Visibility into Application Performance
       
 APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
       
 Monitor end-to-end web transactions and take corrective actions now
       
 Troubleshoot faster and improve end-user experience. Signup Now!
       
 
        http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 
       
_______________________________________________
       
 Fail2ban-users mailing list
       
 
        Fail2ban-users@lists.sourceforge.net 
       
 
        https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
       
 
       

       
      
     

     
    
    
 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users