Re: [Fail2ban-users] IP isn't banned even after maxretry

Tom Hendrikx Sun, 29 Oct 2017 09:50:34 -0700

Hi,

you [problem is shorewall.


The shorewall block method only takes a single input: the ip address. It
is not able to differ between multiple jails (unlike f.i. iptables).

That means that when 187.178.172.36 connects, it is probable banned by
postfix-sasl after a few times. After a short while it is unbenned, and
promptly returns. After a few times of baning/unbanning by postfix-sasl,
it will also be banned by postfix-sasl-long. Now the address is banned
by 2 jails.

Then it is unbanned again by postfix-sasl, and thus removed from the
shorewall blacklist. Fail2ban thinks that postfix-sasl-long is still
banning this, but shorewall doesn't block it. Now the address can keep
coming back and fail2ban won't block it again.

Shorewall is a dumb jail, don't use it when you want to do sophisticated
things like short and long blocks for the same port, or f.i. using
recidive jail.


Kind regards,
        Tom

On 29-10-17 14:17, chaouche yacine via Fail2ban-users wrote:
> 
> Update
> 
> 
> The IP has been banned today at 13:43, but it should have been banned earlier 
> as I explained in my previous mail.
> 
> 
> 2017-10-29 13:43:36,637 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Ban 187.178.172.36
> 
> 
> On Sunday, October 29, 2017 12:42 PM, Tom Hendrikx <t...@whyscream.net> wrote:
>> Does your regex work when you test it using fail2ban-regex?
> 
> I use the default postfix-sasl regex which had 700+ matches
> 
> Here's postfix-sasl-long
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl-long 
> failregex 
> The following regular expression are defined:
> `- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\]: 
> SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> root@messagerie[10.10.10.19] ~ #
> 
> Here's postfix-sasl
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl failregex 
> The following regular expression are defined:
> `- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\]: 
> SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> root@messagerie[10.10.10.19] ~ #
> 
> 
> Proof they're the same
> 
> root@messagerie[10.10.10.19] ~ # diff <(fail2ban-client get postfix-sasl 
> failregex)  <(fail2ban-client get postfix-sasl-long failregex)
> 
> 
> Proof it matches
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-regex /var/log/mail.warn 
> /etc/fail2ban/filter.d/postfix-sasl.conf 
> 
> Running tests
> =============
> 
> Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
> Use         log file : /var/log/mail.warn
> 
> 
> Results
> =======
> 
> Failregex: 753 total
> |-  #) [# of hits] regular expression
> |   1) [753] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL 
> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> `-
> 
> Ignoreregex: 0 total
> 
> Date template hits:
> |- [# of hits] date format
> |  [1146] MONTH Day Hour:Minute:Second
> `-
> 
> Lines: 1146 lines, 0 ignored, 753 matched, 393 missed
> Missed line(s): too many to print.  Use --print-all-missed to print all 393 
> lines
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> 
> 
> 
> 
> 
> 
>> What does f2b log when your jail starts up?
> 
> Here's a complete restart session : 
> 
> 2017-10-29 14:01:13,781 fail2ban.server [23538]: INFO    Stopping all jails
> 2017-10-29 14:01:14,050 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 113.121.246.35
> 2017-10-29 14:01:14,086 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 185.165.29.27
> 2017-10-29 14:01:14,122 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 185.165.29.83
> 2017-10-29 14:01:14,158 fail2ban.jail   [23538]: INFO    Jail 'postfix-sasl' 
> stopped
> 2017-10-29 14:01:14,424 fail2ban.jail   [23538]: INFO    Jail 'ssh' stopped
> 2017-10-29 14:01:14,515 fail2ban.jail   [23538]: INFO    Jail 'dovecot' 
> stopped
> 2017-10-29 14:01:15,436 fail2ban.jail   [23538]: INFO    Jail 'postfix' 
> stopped
> 2017-10-29 14:01:15,876 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 37.49.227.130
> 2017-10-29 14:01:15,917 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 89.248.162.247
> 2017-10-29 14:01:15,952 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 89.146.35.189
> 2017-10-29 14:01:15,988 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 101.98.109.47
> 2017-10-29 14:01:16,024 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 82.214.127.122
> 2017-10-29 14:01:16,059 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 37.152.12.252
> 2017-10-29 14:01:16,095 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 124.158.9.40
> 2017-10-29 14:01:16,131 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 200.188.141.75
> 2017-10-29 14:01:16,167 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 85.194.87.126
> 2017-10-29 14:01:16,203 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 181.143.94.74
> 2017-10-29 14:01:16,238 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 190.145.154.149
> 2017-10-29 14:01:16,273 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 175.139.253.93
> 2017-10-29 14:01:16,309 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Unban 187.178.172.36
> 2017-10-29 14:01:16,345 fail2ban.jail   [23538]: INFO    Jail 
> 'postfix-sasl-long' stopped
> 2017-10-29 14:01:17,167 fail2ban.jail   [23538]: INFO    Jail 'dovecot-long' 
> stopped
> 2017-10-29 14:01:17,185 fail2ban.server [23538]: INFO    Exiting Fail2ban
> 2017-10-29 14:01:17,888 fail2ban.server [39052]: INFO    Changed logging 
> target to /var/log/fail2ban.log for Fail2ban v0.8.13
> 2017-10-29 14:01:17,888 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'ssh'
> 2017-10-29 14:01:17,975 fail2ban.jail   [39052]: INFO    Jail 'ssh' euses 
> pyinotify
> 2017-10-29 14:01:18,010 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,012 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/auth.log
> 2017-10-29 14:01:18,014 fail2ban.filter [39052]: INFO    Set maxRetry = 6
> 2017-10-29 14:01:18,018 fail2ban.filter [39052]: INFO    Set findtime = 600
> 2017-10-29 14:01:18,018 fail2ban.actions[39052]: INFO    Set banTime = 86400
> 2017-10-29 14:01:18,086 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'postfix'
> 2017-10-29 14:01:18,086 fail2ban.jail   [39052]: INFO    Jail 'postfix' uses 
> pyinotify
> 2017-10-29 14:01:18,092 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,094 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/mail.log
> 2017-10-29 14:01:18,095 fail2ban.filter [39052]: INFO    Set maxRetry = 3
> 2017-10-29 14:01:18,099 fail2ban.filter [39052]: INFO    Set findtime = 600
> 2017-10-29 14:01:18,099 fail2ban.actions[39052]: INFO    Set banTime = 86400
> 2017-10-29 14:01:18,122 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'dovecot'
> 2017-10-29 14:01:18,122 fail2ban.jail   [39052]: INFO    Jail 'dovecot' uses 
> pyinotify
> 2017-10-29 14:01:18,128 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,129 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/dovecot.log
> 2017-10-29 14:01:18,131 fail2ban.filter [39052]: INFO    Set maxRetry = 3
> 2017-10-29 14:01:18,134 fail2ban.filter [39052]: INFO    Set findtime = 600
> 2017-10-29 14:01:18,134 fail2ban.actions[39052]: INFO    Set banTime = 86400
> 2017-10-29 14:01:18,161 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'postfix-sasl'
> 2017-10-29 14:01:18,161 fail2ban.jail   [39052]: INFO    Jail 'postfix-sasl' 
> uses pyinotify
> 2017-10-29 14:01:18,167 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,169 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/mail.warn
> 2017-10-29 14:01:18,170 fail2ban.filter [39052]: INFO    Set maxRetry = 3
> 2017-10-29 14:01:18,174 fail2ban.filter [39052]: INFO    Set findtime = 600
> 2017-10-29 14:01:18,175 fail2ban.actions[39052]: INFO    Set banTime = 86400
> 2017-10-29 14:01:18,184 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'postfix-sasl-long'
> 2017-10-29 14:01:18,184 fail2ban.jail   [39052]: INFO    Jail 
> 'postfix-sasl-long' uses pyinotify
> 2017-10-29 14:01:18,190 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,192 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/mail.warn
> 2017-10-29 14:01:18,193 fail2ban.filter [39052]: INFO    Set maxRetry = 10
> 2017-10-29 14:01:18,196 fail2ban.filter [39052]: INFO    Set findtime = 86400
> 2017-10-29 14:01:18,197 fail2ban.actions[39052]: INFO    Set banTime = 432000
> 2017-10-29 14:01:18,202 fail2ban.jail   [39052]: INFO    Creating new jail 
> 'dovecot-long'
> 2017-10-29 14:01:18,202 fail2ban.jail   [39052]: INFO    Jail 'dovecot-long' 
> uses pyinotify
> 2017-10-29 14:01:18,208 fail2ban.jail   [39052]: INFO    Initiated 
> 'pyinotify' backend
> 2017-10-29 14:01:18,210 fail2ban.filter [39052]: INFO    Added logfile = 
> /var/log/dovecot.log
> 2017-10-29 14:01:18,211 fail2ban.filter [39052]: INFO    Set maxRetry = 10
> 2017-10-29 14:01:18,214 fail2ban.filter [39052]: INFO    Set findtime = 86400
> 2017-10-29 14:01:18,215 fail2ban.actions[39052]: INFO    Set banTime = 432000
> 2017-10-29 14:01:18,222 fail2ban.jail   [39052]: INFO    Jail 'ssh' started
> 2017-10-29 14:01:18,224 fail2ban.jail   [39052]: INFO    Jail 'postfix' 
> started
> 2017-10-29 14:01:18,226 fail2ban.jail   [39052]: INFO    Jail 'dovecot' 
> started
> 2017-10-29 14:01:18,227 fail2ban.jail   [39052]: INFO    Jail 'postfix-sasl' 
> started
> 2017-10-29 14:01:18,228 fail2ban.jail   [39052]: INFO    Jail 
> 'postfix-sasl-long' started
> 2017-10-29 14:01:18,230 fail2ban.jail   [39052]: INFO    Jail 'dovecot-long' 
> started
> 
> 
> 
> 
> 
> 
> 
>> What does fail2ban log when this recurring ip address connects?
> 
> Nothing ? see previous command trace : 
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 187.178.172.36 
> /var/log/fail2ban.log*
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
> 
> 
> 
> 
>> What is in your filter file?
> 
> root@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/filter.d/postfix-sasl.conf 
> # Fail2Ban filter for postfix authentication failures
> #
> 
> [INCLUDES]
> 
> before = common.conf
> 
> [Definition]
> 
> _daemon = postfix/smtpd
> 
> failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL 
> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> 
> # Author: Yaroslav Halchenko
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> 
> 
> 
> 
>> What is in your action file?
> root@messagerie[10.10.10.19] ~ # removeblanks 
> /etc/fail2ban/action.d/shorewall.conf 
> [Definition]
> actionstart = 
> actionstop = 
> actioncheck = 
> actionban = shorewall <blocktype> <ip>
> actionunban = shorewall allow <ip>
> [Init]
> blocktype = reject
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> 
> 
>> How does your complete jail config look like?
> 
> Here's jail.local
> 
> root@messagerie[10.10.10.19] ~ # removeblanks /etc/fail2ban/jail.local
> [DEFAULT]
> action = shorewall
> ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16
> bantime = 86400
> [postfix-sasl]
> enabled  = true
> port     = all
> filter   = postfix-sasl
> logpath  = /var/log/mail.warn
> maxretry = 3
> findtime = 600
> [postfix-sasl-long]
> enabled  = true
> port     = all
> filter   = postfix-sasl
> logpath  = /var/log/mail.warn
> maxretry = 10
> findtime = 86400
> bantime    = 432000 
> [postfix]
> enabled  = true
> port     = all
> filter   = postfix
> logpath  = /var/log/mail.log
> [dovecot]
> enabled = true
> port    = all
> filter  = dovecot
> logpath = /var/log/dovecot.log
> [dovecot-long]
> findtime   = 86400
> maxretry   = 10
> bantime    = 432000 
> enabled    = true
> port       = all
> filter     = dovecot
> logpath    = /var/log/dovecot.log
> [ssh]
> port = all
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> 
> And the only enabled jail in jail.conf is ssh :
> 
> root@messagerie[10.10.10.19] ~ # removeblanks /etc/fail2ban/jail.conf | egrep 
> -B 1 "enabled.*=.*true"
> [ssh]
> enabled  = true
> root@messagerie[10.10.10.19] ~ # 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP isn't banned even after maxretry

Reply via email to