Re: [Fail2ban-users] Sasl bans, still connecting

Gao Thu, 10 Mar 2016 09:16:18 -0800

Is your rule only block port 25 smtp?

Just checked mine and it should block multiport  by default:

f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiportdports 25,465,587,220,993,110,995


Gao

On 16-03-10 02:29 AM, Simon Wilson wrote:

Hi list,

What am I doing wrong?

I got the notification:

Hi,

The IP 185.103.253.243 has just been banned by Fail2Ban after
3 attempts against sasl.

iptables -L:

]# iptables -L

<snip>

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
REJECT all -- 185.103.253.243 anywhere reject-withicmp-port-unreachable
RETURN     all  --  anywhere             anywhere


But it keeps connecting:
Mar 10 20:08:00 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:08:15 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:08:34 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:08:49 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:09:05 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:09:19 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:09:34 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:09:49 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:10:04 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:10:18 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:10:33 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:10:46 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:11:01 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:11:16 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:11:31 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:11:47 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:12:04 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:12:20 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:12:36 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:12:56 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:13:17 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:13:37 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:13:55 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:14:17 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:14:39 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:15:03 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:15:26 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:15:47 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:16:10 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:16:36 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:17:01 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:17:30 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:17:58 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:18:27 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:18:59 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:19:29 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:20:01 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:20:35 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:21:10 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:21:47 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:22:25 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:23:03 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:23:47 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:24:35 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already bannedMar 10 20:25:21 server04 fail2ban.actions[28238]: INFO [sasl-iptables]185.103.253.243 already banned
Is it this?:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-sasl  tcp  --  anywhere             anywhere tcp dpt:smtp
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
Iptables is only jumping to the fail2ban Chain for port 25 (smtp).Should that be "always" and how do I make it so?
Simon



------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140


_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Sasl bans, still connecting

Reply via email to