Re: [Fail2ban-users] Enable multiple jails

Bill Shirley Wed, 17 Jan 2018 09:12:33 -0800

Looks like your regex is wrong.  Do you get any hits when you run:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/blockip-custom.conf


I think your regex should be:
failregex = \[<HOST>\]:\s+535 Incorrect authentication data

Bill

On 1/17/2018 9:46 AM, Emanuel Gonzalez wrote:

Yes, the file blockip-custom.conf exists in /etc/fail2ban/action.d but not 
block IPs


example:
Jan 17 11:38:54 linux.backend exim[14840]: 2018-01-17 11:38:52 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:55 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:55 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:56 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:56 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)Jan 17 11:38:59 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]:535 Incorrect authentication data (set_id=s...@dattaweb.com)
In the file maillog-custom.conf

failregex =  \[<HOST>\]:\d+: 535 Incorrect authentication data
[rsyslog-maillog]
enabled = true
filter = maillog-custom
bantime = 86400
findtime = 600
*maxretry = 5*
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# tail iniciar al final del log
# para que no arranque a procesarlo desde el principio o desde donde se quedo
logpath = /var/log/maillog

any ideas?

Regards,




--------------------------------------------------------------------------------------------------------------------------------
*De:* Roman Pikalo <roman.pik...@funderbeam.com>
*Enviado:* miércoles, 17 de enero de 2018 9:04:49
*Para:* Emanuel Gonzalez
*Cc:* fail2ban-users@lists.sourceforge.net
*Asunto:* Re: [Fail2ban-users] Enable multiple jails
Do you have blockip-custom banaction defined in /etc/fail2ban/jail.conf /file ?

Bregs, Roman

Emanuel Gonzalez <emanuel_gonza...@live.com.ar 
<mailto:emanuel_gonza...@live.com.ar>>:
Helo, I have read all the documentation but I can not solve my problem.

I create the file jail-custom.conf /etc/fail2ban/jail.d with this config:

[rsyslog-maillog]
enabled = true
filter = maillog-custom
bantime = 86400
findtime = 600
maxretry = 5
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
port = imap3,imaps,pop3,pop3s
# tail iniciar al final del log
# para que no arranque a procesarlo desde el principio o desde donde se quedo
logpath = /var/log/maillog tail


[exim]
enabled = true
filter = exim
port = smtp,465,submission
bantime = 86400
findtime = 600
maxretry = 5
#banaction = blockip-custom
#action = %(action_)s
action = blockip-custom
logpath  = /var/log/maillog
backend  = auto
#journalmatch =


The jail "rsyslog-maillog is work, but the exim jail not.

tail -f /var/log/fail2ban.log
2018-01-16 15:20:58,599 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
111.75.167.157
2018-01-16 15:21:05,610 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
111.89.179.159
2018-01-16 15:21:06,830 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.112.193.39
2018-01-16 15:21:13,871 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.112.25.39
2018-01-16 15:21:14,643 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.241.17
2018-01-16 15:21:15,435 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.146
2018-01-16 15:21:17,246 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.247
2018-01-16 15:21:24,439 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.38
2018-01-16 15:21:25,222 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.61.121
2018-01-16 15:21:26,009 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.61.183

any ideas? regards

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://slashdot.org/>! 
http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Enable multiple jails

Reply via email to