Hello together
I have a little understanding problem, i see in me fail2ban.log baned ip
addresses, but if i check the file ip.blacklist there are not visible.
But after i restart the Service there are visible, and the ip.blacklist has
all ip address double.
Thanks for any help
Regards
Mauri
r@mail:/etc/fail2ban#tail /var/log/fail2ban.log
2017-10-20 23:44:49,852 fail2ban.actions[13193]: WARNING [ssh] Ban
185.86.236.250
2017-10-20 23:45:05,595 fail2ban.actions[13193]: WARNING [ssh] Ban
200.71.34.59
2017-10-20 23:45:17,129 fail2ban.actions[13193]: WARNING [sasl] Ban
91.200.12.56
2017-10-20 23:45:37,314 fail2ban.actions[13193]: WARNING [sasl] Ban
191.96.249.63
2017-10-20 23:45:53,078 fail2ban.actions[13193]: WARNING [sasl] Ban
191.96.249.70
2017-10-20 23:56:13,801 fail2ban.actions[13193]: WARNING [ssh] Ban
1.55.145.220
2017-10-21 00:06:05,097 fail2ban.actions[13193]: WARNING [ssh] Ban
58.246.138.178
2017-10-21 00:32:36,202 fail2ban.actions[13193]: WARNING [ssh] Ban
152.204.1.79
2017-10-21 00:38:24,924 fail2ban.actions[13193]: WARNING [ssh] Ban
94.50.183.221
r@mail:/etc/fail2ban# cat ip.blacklist | grep 94.50.183.221
r@mail:/etc/fail2ban# cat ip.blacklist | grep 152.204.1.79
r@mail:/etc/fail2ban# cat ip.blacklist | grep 58.246.138.178
r@mail:/etc/fail2ban# cat ip.blacklist | grep 1.55.145.220
r@mail:/etc/fail2ban# cat ip.blacklist | grep 191.96.249.70
r@mail:/etc/fail2ban# cat ip.blacklist | grep 191.96.249.63
r@mail:/etc/fail2ban# cat ip.blacklist | grep 91.200.12.56
r@mail:/etc/fail2ban# cat ip.blacklist | grep 200.71.34.59
r@mail:/etc/fail2ban# cat ip.blacklist | grep 185.86.236.250
185.86.236.250
r@mail:/etc/fail2ban/action.d# cat iptables-multiport.conf
# Fail2Ban configuration file
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port>
-j fail2ban-<name>
# Persistent banning of IPs
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I
fail2ban-<name> 1 -s $IP -j DROP; done
# Option: actionstop
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port>
-j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
# Persistent banning IPs
echo <ip> >>/etc/fail2ban/ip.blacklist
[Init]
# Default name of the chai
# Fail2Ban configuration file.
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 7200
findtime = 7200
maxretry = 3
backend = auto
usedns = warn
destemail = maurizio@****.**
sendername = Fail2Ban
sender = fail2ban@localhost
# ACTIONS
#
banaction = iptables-multiport
mta = mail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s",
logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_mwl)s
# JAILS
#
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 86400
bantime = 2592000
[dropbear]
enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 3
bantime = 2592000
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3
findtime = 86400
bantime = 2592000
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
findtime = 86400
bantime = 2592000
# Mail servers
#
[postfix]
enabled = true
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.warn
[sasl]
enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.warn
findtime = 86400
bantime = 2592000
[dovecot]
enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.warn
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
maxretry = 3
findtime = 86400
bantime = 2592000
[ip.blacklist]
enabled = true
banaction = iptables-allports
port = anyport
filter = ip.blacklist
logpath = /etc/fail2ban/ip.blacklist
maxretry = 0
findtime = 86400
bantime = 2592000
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
