[Fail2ban-users] IP isn't banned even after maxretry

chaouche yacine via Fail2ban-users Sun, 29 Oct 2017 04:12:29 -0700

I configured my postfix-long jail to read from mail.warn : 

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
postfix-sasl-long logpath 
Current monitored log file(s):
`- /var/log/mail.warn
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #



I'd like to ban after 10 attempts in 24 hours :

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
postfix-sasl-long maxretry
10
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
postfix-sasl-long findtime
86400
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 


Here are the logged failures in mail.warn. 

root@messagerie[10.10.10.19] ~ # egrep 187.178.172.36 /var/log/mail.warn* | nl
1  /var/log/mail.warn:Oct 27 19:47:21 messagerie postfix/smtpd[43215]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
2  /var/log/mail.warn:Oct 27 20:17:43 messagerie postfix/smtpd[46012]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
3  /var/log/mail.warn:Oct 27 21:18:18 messagerie postfix/smtpd[47974]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
4  /var/log/mail.warn:Oct 27 22:09:36 messagerie postfix/smtpd[48979]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
9  /var/log/mail.warn:Oct 28 16:40:52 messagerie postfix/smtpd[23872]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
10  /var/log/mail.warn:Oct 28 20:35:57 messagerie postfix/smtpd[30183]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
11  /var/log/mail.warn:Oct 28 23:16:20 messagerie postfix/smtpd[36002]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
12  /var/log/mail.warn:Oct 29 01:05:18 messagerie postfix/smtpd[42070]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
13  /var/log/mail.warn:Oct 29 02:03:15 messagerie postfix/smtpd[44450]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
14  /var/log/mail.warn:Oct 29 02:06:38 messagerie postfix/smtpd[44450]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
15  /var/log/mail.warn:Oct 29 02:37:19 messagerie postfix/smtpd[45572]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
16  /var/log/mail.warn:Oct 29 05:55:14 messagerie postfix/smtpd[51964]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
17  /var/log/mail.warn:Oct 29 08:14:57 messagerie postfix/smtpd[60387]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
18  /var/log/mail.warn:Oct 29 09:51:40 messagerie postfix/smtpd[3024]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~ # 


The 10 attacks in 24 hour span begins at the fifth attempt on Oct 28 07:17 
until Oct 29 02:06 : 

5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
9  /var/log/mail.warn:Oct 28 16:40:52 messagerie postfix/smtpd[23872]: warning: 
187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
10  /var/log/mail.warn:Oct 28 20:35:57 messagerie postfix/smtpd[30183]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
11  /var/log/mail.warn:Oct 28 23:16:20 messagerie postfix/smtpd[36002]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
12  /var/log/mail.warn:Oct 29 01:05:18 messagerie postfix/smtpd[42070]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
13  /var/log/mail.warn:Oct 29 02:03:15 messagerie postfix/smtpd[44450]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6
14  /var/log/mail.warn:Oct 29 02:06:38 messagerie postfix/smtpd[44450]: 
warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
authentication failed: UGFzc3dvcmQ6

So the ban should have been at the 14th recorded attempt. A grep on fail2ban 
logs shows no such ban : 

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 187.178.172.36 
/var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 

Any tips to troubleshoot this ? 


Yassine.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] IP isn't banned even after maxretry

Reply via email to