Re: [Fail2ban-users] IP isn't banned even after maxretry

chaouche yacine via Fail2ban-users Sun, 29 Oct 2017 06:19:12 -0700

Update


The IP has been banned today at 13:43, but it should have been banned earlier 
as I explained in my previous mail.


2017-10-29 13:43:36,637 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Ban 187.178.172.36


On Sunday, October 29, 2017 12:42 PM, Tom Hendrikx <t...@whyscream.net> wrote:
> Does your regex work when you test it using fail2ban-regex?

I use the default postfix-sasl regex which had 700+ matches

Here's postfix-sasl-long

root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl-long 
failregex 
The following regular expression are defined:
`- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
)?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
 \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\s*$
root@messagerie[10.10.10.19] ~ #

Here's postfix-sasl

root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl failregex 
The following regular expression are defined:
`- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
)?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
 \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\s*$
root@messagerie[10.10.10.19] ~ #


Proof they're the same

root@messagerie[10.10.10.19] ~ # diff <(fail2ban-client get postfix-sasl 
failregex)  <(fail2ban-client get postfix-sasl-long failregex)


Proof it matches

root@messagerie[10.10.10.19] ~ # fail2ban-regex /var/log/mail.warn 
/etc/fail2ban/filter.d/postfix-sasl.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
Use         log file : /var/log/mail.warn


Results
=======

Failregex: 753 total
|-  #) [# of hits] regular expression
|   1) [753] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
)?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
 \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1146] MONTH Day Hour:Minute:Second
`-

Lines: 1146 lines, 0 ignored, 753 matched, 393 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 393 
lines
root@messagerie[10.10.10.19] ~ # 








> What does f2b log when your jail starts up?

Here's a complete restart session : 

2017-10-29 14:01:13,781 fail2ban.server [23538]: INFO    Stopping all jails
2017-10-29 14:01:14,050 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
113.121.246.35
2017-10-29 14:01:14,086 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
185.165.29.27
2017-10-29 14:01:14,122 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
185.165.29.83
2017-10-29 14:01:14,158 fail2ban.jail   [23538]: INFO    Jail 'postfix-sasl' 
stopped
2017-10-29 14:01:14,424 fail2ban.jail   [23538]: INFO    Jail 'ssh' stopped
2017-10-29 14:01:14,515 fail2ban.jail   [23538]: INFO    Jail 'dovecot' stopped
2017-10-29 14:01:15,436 fail2ban.jail   [23538]: INFO    Jail 'postfix' stopped
2017-10-29 14:01:15,876 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 37.49.227.130
2017-10-29 14:01:15,917 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 89.248.162.247
2017-10-29 14:01:15,952 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 89.146.35.189
2017-10-29 14:01:15,988 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 101.98.109.47
2017-10-29 14:01:16,024 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 82.214.127.122
2017-10-29 14:01:16,059 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 37.152.12.252
2017-10-29 14:01:16,095 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 124.158.9.40
2017-10-29 14:01:16,131 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 200.188.141.75
2017-10-29 14:01:16,167 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 85.194.87.126
2017-10-29 14:01:16,203 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 181.143.94.74
2017-10-29 14:01:16,238 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 190.145.154.149
2017-10-29 14:01:16,273 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 175.139.253.93
2017-10-29 14:01:16,309 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
Unban 187.178.172.36
2017-10-29 14:01:16,345 fail2ban.jail   [23538]: INFO    Jail 
'postfix-sasl-long' stopped
2017-10-29 14:01:17,167 fail2ban.jail   [23538]: INFO    Jail 'dovecot-long' 
stopped
2017-10-29 14:01:17,185 fail2ban.server [23538]: INFO    Exiting Fail2ban
2017-10-29 14:01:17,888 fail2ban.server [39052]: INFO    Changed logging target 
to /var/log/fail2ban.log for Fail2ban v0.8.13
2017-10-29 14:01:17,888 fail2ban.jail   [39052]: INFO    Creating new jail 'ssh'
2017-10-29 14:01:17,975 fail2ban.jail   [39052]: INFO    Jail 'ssh' euses 
pyinotify
2017-10-29 14:01:18,010 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,012 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/auth.log
2017-10-29 14:01:18,014 fail2ban.filter [39052]: INFO    Set maxRetry = 6
2017-10-29 14:01:18,018 fail2ban.filter [39052]: INFO    Set findtime = 600
2017-10-29 14:01:18,018 fail2ban.actions[39052]: INFO    Set banTime = 86400
2017-10-29 14:01:18,086 fail2ban.jail   [39052]: INFO    Creating new jail 
'postfix'
2017-10-29 14:01:18,086 fail2ban.jail   [39052]: INFO    Jail 'postfix' uses 
pyinotify
2017-10-29 14:01:18,092 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,094 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/mail.log
2017-10-29 14:01:18,095 fail2ban.filter [39052]: INFO    Set maxRetry = 3
2017-10-29 14:01:18,099 fail2ban.filter [39052]: INFO    Set findtime = 600
2017-10-29 14:01:18,099 fail2ban.actions[39052]: INFO    Set banTime = 86400
2017-10-29 14:01:18,122 fail2ban.jail   [39052]: INFO    Creating new jail 
'dovecot'
2017-10-29 14:01:18,122 fail2ban.jail   [39052]: INFO    Jail 'dovecot' uses 
pyinotify
2017-10-29 14:01:18,128 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,129 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/dovecot.log
2017-10-29 14:01:18,131 fail2ban.filter [39052]: INFO    Set maxRetry = 3
2017-10-29 14:01:18,134 fail2ban.filter [39052]: INFO    Set findtime = 600
2017-10-29 14:01:18,134 fail2ban.actions[39052]: INFO    Set banTime = 86400
2017-10-29 14:01:18,161 fail2ban.jail   [39052]: INFO    Creating new jail 
'postfix-sasl'
2017-10-29 14:01:18,161 fail2ban.jail   [39052]: INFO    Jail 'postfix-sasl' 
uses pyinotify
2017-10-29 14:01:18,167 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,169 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/mail.warn
2017-10-29 14:01:18,170 fail2ban.filter [39052]: INFO    Set maxRetry = 3
2017-10-29 14:01:18,174 fail2ban.filter [39052]: INFO    Set findtime = 600
2017-10-29 14:01:18,175 fail2ban.actions[39052]: INFO    Set banTime = 86400
2017-10-29 14:01:18,184 fail2ban.jail   [39052]: INFO    Creating new jail 
'postfix-sasl-long'
2017-10-29 14:01:18,184 fail2ban.jail   [39052]: INFO    Jail 
'postfix-sasl-long' uses pyinotify
2017-10-29 14:01:18,190 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,192 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/mail.warn
2017-10-29 14:01:18,193 fail2ban.filter [39052]: INFO    Set maxRetry = 10
2017-10-29 14:01:18,196 fail2ban.filter [39052]: INFO    Set findtime = 86400
2017-10-29 14:01:18,197 fail2ban.actions[39052]: INFO    Set banTime = 432000
2017-10-29 14:01:18,202 fail2ban.jail   [39052]: INFO    Creating new jail 
'dovecot-long'
2017-10-29 14:01:18,202 fail2ban.jail   [39052]: INFO    Jail 'dovecot-long' 
uses pyinotify
2017-10-29 14:01:18,208 fail2ban.jail   [39052]: INFO    Initiated 'pyinotify' 
backend
2017-10-29 14:01:18,210 fail2ban.filter [39052]: INFO    Added logfile = 
/var/log/dovecot.log
2017-10-29 14:01:18,211 fail2ban.filter [39052]: INFO    Set maxRetry = 10
2017-10-29 14:01:18,214 fail2ban.filter [39052]: INFO    Set findtime = 86400
2017-10-29 14:01:18,215 fail2ban.actions[39052]: INFO    Set banTime = 432000
2017-10-29 14:01:18,222 fail2ban.jail   [39052]: INFO    Jail 'ssh' started
2017-10-29 14:01:18,224 fail2ban.jail   [39052]: INFO    Jail 'postfix' started
2017-10-29 14:01:18,226 fail2ban.jail   [39052]: INFO    Jail 'dovecot' started
2017-10-29 14:01:18,227 fail2ban.jail   [39052]: INFO    Jail 'postfix-sasl' 
started
2017-10-29 14:01:18,228 fail2ban.jail   [39052]: INFO    Jail 
'postfix-sasl-long' started
2017-10-29 14:01:18,230 fail2ban.jail   [39052]: INFO    Jail 'dovecot-long' 
started







> What does fail2ban log when this recurring ip address connects?

Nothing ? see previous command trace : 

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 187.178.172.36 
/var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #




> What is in your filter file?

root@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/filter.d/postfix-sasl.conf 
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko
root@messagerie[10.10.10.19] ~ # 






> What is in your action file?
root@messagerie[10.10.10.19] ~ # removeblanks 
/etc/fail2ban/action.d/shorewall.conf 
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = shorewall <blocktype> <ip>
actionunban = shorewall allow <ip>
[Init]
blocktype = reject
root@messagerie[10.10.10.19] ~ # 




> How does your complete jail config look like?

Here's jail.local

root@messagerie[10.10.10.19] ~ # removeblanks /etc/fail2ban/jail.local
[DEFAULT]
action = shorewall
ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16
bantime = 86400
[postfix-sasl]
enabled  = true
port     = all
filter   = postfix-sasl
logpath  = /var/log/mail.warn
maxretry = 3
findtime = 600
[postfix-sasl-long]
enabled  = true
port     = all
filter   = postfix-sasl
logpath  = /var/log/mail.warn
maxretry = 10
findtime = 86400
bantime    = 432000 
[postfix]
enabled  = true
port     = all
filter   = postfix
logpath  = /var/log/mail.log
[dovecot]
enabled = true
port    = all
filter  = dovecot
logpath = /var/log/dovecot.log
[dovecot-long]
findtime   = 86400
maxretry   = 10
bantime    = 432000 
enabled    = true
port       = all
filter     = dovecot
logpath    = /var/log/dovecot.log
[ssh]
port = all
root@messagerie[10.10.10.19] ~ # 



And the only enabled jail in jail.conf is ssh :

root@messagerie[10.10.10.19] ~ # removeblanks /etc/fail2ban/jail.conf | egrep 
-B 1 "enabled.*=.*true"
[ssh]
enabled  = true
root@messagerie[10.10.10.19] ~ # 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP isn't banned even after maxretry

Reply via email to