Re: [Fail2ban-users] IP isn't banned even after maxretry

Sun, 29 Oct 2017 04:43:26 -0700 

On 29-10-17 12:10, chaouche yacine via Fail2ban-users wrote:
> 
> I configured my postfix-long jail to read from mail.warn : 
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long logpath 
> Current monitored log file(s):
> `- /var/log/mail.warn
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
> 
> 
> I'd like to ban after 10 attempts in 24 hours :
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long maxretry
> 10
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long findtime
> 86400
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
> 
> 
> Here are the logged failures in mail.warn. 
> 
> root@messagerie[10.10.10.19] ~ # egrep 187.178.172.36 /var/log/mail.warn* | nl
> 1  /var/log/mail.warn:Oct 27 19:47:21 messagerie postfix/smtpd[43215]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 2  /var/log/mail.warn:Oct 27 20:17:43 messagerie postfix/smtpd[46012]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 3  /var/log/mail.warn:Oct 27 21:18:18 messagerie postfix/smtpd[47974]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 4  /var/log/mail.warn:Oct 27 22:09:36 messagerie postfix/smtpd[48979]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 9  /var/log/mail.warn:Oct 28 16:40:52 messagerie postfix/smtpd[23872]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 10  /var/log/mail.warn:Oct 28 20:35:57 messagerie postfix/smtpd[30183]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 11  /var/log/mail.warn:Oct 28 23:16:20 messagerie postfix/smtpd[36002]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 12  /var/log/mail.warn:Oct 29 01:05:18 messagerie postfix/smtpd[42070]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 13  /var/log/mail.warn:Oct 29 02:03:15 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 14  /var/log/mail.warn:Oct 29 02:06:38 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 15  /var/log/mail.warn:Oct 29 02:37:19 messagerie postfix/smtpd[45572]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 16  /var/log/mail.warn:Oct 29 05:55:14 messagerie postfix/smtpd[51964]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 17  /var/log/mail.warn:Oct 29 08:14:57 messagerie postfix/smtpd[60387]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 18  /var/log/mail.warn:Oct 29 09:51:40 messagerie postfix/smtpd[3024]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> The 10 attacks in 24 hour span begins at the fifth attempt on Oct 28 07:17 
> until Oct 29 02:06 : 
> 
> 5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 9  /var/log/mail.warn:Oct 28 16:40:52 messagerie postfix/smtpd[23872]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 10  /var/log/mail.warn:Oct 28 20:35:57 messagerie postfix/smtpd[30183]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 11  /var/log/mail.warn:Oct 28 23:16:20 messagerie postfix/smtpd[36002]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 12  /var/log/mail.warn:Oct 29 01:05:18 messagerie postfix/smtpd[42070]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 13  /var/log/mail.warn:Oct 29 02:03:15 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 14  /var/log/mail.warn:Oct 29 02:06:38 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 
> So the ban should have been at the 14th recorded attempt. A grep on fail2ban 
> logs shows no such ban : 
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 187.178.172.36 
> /var/log/fail2ban.log*
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
> 
> Any tips to troubleshoot this ? 

You've given us only circumstantial evidence that something might be
wrong. I'd say you misconfigured fail2ban in some way, but you forgot to
include any details about how you configured fail2ban.

Does your regex work when you test it using fail2ban-regex?
What does f2b log when your jail starts up?
What does fail2ban log when this recurring ip address connects?
What is in your filter file?
What is in your action file?
How does your complete jail config look like?

Kind regards,
        Tom

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to