Re: [Fail2ban-users] Enable multiple jails

Wed, 17 Jan 2018 11:12:36 -0800 

Emanuel.


This

"filter = maillog-custom"

__HAS__ to be the  name  of your filter config file
placed in directory  /etc/fail2ban/filter.d

If you do not have file named

maillog-custom.conf

in directory /etc/fail2ban/filter.d

then __THI IS__  the reason why fail2ban doesn't work as expected.


Best regards.
Tom




On 17/01/18 19:31, Emanuel Gonzalez wrote:

Failregex: 980 total
|-  #) [# of hits] regular expression
|   1) [812] ^.*\[<HOST>\].*Incorrect authentication data.*
|      125.65.108.52  Wed Jan 17 15:13:35 2018
|      125.65.108.52  Wed Jan 17 15:13:35 2018
|      201.235.24.11  Wed Jan 17 15:13:34 2018
|      187.17.106.192  Wed Jan 17 15:13:35 2018
|      187.17.106.192  Wed Jan 17 15:13:35 2018
|      201.235.24.11  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      211.1.231.66  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      115.203.204.39  Wed Jan 17 15:13:35 2018
|      115.203.204.39  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      201.235.24.11  Wed Jan 17 15:13:34 2018
|      201.235.24.11  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      80.211.183.196  Wed Jan 17 15:13:35 2018
|      80.211.183.196  Wed Jan 17 15:13:35 2018
|      182.244.156.188  Wed Jan 17 15:13:35 2018
|      182.244.156.188  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      187.17.106.192  Wed Jan 17 15:13:35 2018
|      187.17.106.192  Wed Jan 17 15:13:35 2018
|      36.6.57.149  Wed Jan 17 15:13:35 2018
|      36.6.57.149  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:34 2018
|      199.180.114.138  Wed Jan 17 15:13:35 2018
|      144.217.62.119  Wed Jan 17 15:13:35 2018
|      144.217.62.119  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:35 2018
|      186.18.213.96  Wed Jan 17 15:13:35 2018
|      186.18.213.96  Wed Jan 17 15:13:35 2018
|      201.235.24.11  Wed Jan 17 15:13:35 2018
|      201.235.24.11  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:35 2018
|      199.180.114.138  Wed Jan 17 15:13:35 2018
|      222.221.121.206  Wed Jan 17 15:13:35 2018
|      222.221.121.206  Wed Jan 17 15:13:35 2018
|      117.84.114.213  Wed Jan 17 15:13:35 2018
|      117.84.114.213  Wed Jan 17 15:13:35 2018

but fail2ban not ban the IP address.

example
Jan 17 15:29:31  exim[28085]: 2018-01-17 15:29:31 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:31  exim[28085]: 2018-01-17 15:29:31 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:34  exim[32603]: 2018-01-17 15:29:34 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:34  exim[32603]: 2018-01-17 15:29:34 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:36  exim[29557]: 2018-01-17 15:29:36 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:36  exim[29557]: 2018-01-17 15:29:36 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:38  exim[4645]: 2018-01-17 15:29:38 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:38  exim[4645]: 2018-01-17 15:29:38 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:40  exim[27325]: 2018-01-17 15:29:40 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:40  exim[27325]: 2018-01-17 15:29:40 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:43  exim[32745]: 2018-01-17 15:29:43 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:43  exim[32745]: 2018-01-17 15:29:43 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:45  exim[29691]: 2018-01-17 15:29:45 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) Jan 17 15:29:45  exim[29691]: 2018-01-17 15:29:45 fixed_login authenticator failed for (ylmf-pc) [122.192.86.105]: 535 Incorrect authentication data (set_id=info) 

in /etc/fail2ban/jail.d

jail-custom.conf

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be 
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". 
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed. 
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries. 
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other 
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 
#backend = polling
backend = pyinotify
# "logencoding" specifies the encoding of the log files handled by the jail 
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = utf-8

#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.

# Sender email address used solely for some actions

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = blockip-custom

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]             %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] 

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]              %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action 
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines 
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# Choose default action.  To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local 
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# Mail servers
#
[rsyslog-maillog]
enabled = true
filter = maillog-custom
bantime = 86400
findtime = 60
maxretry = 10
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = /var/log/maillog

any ideas?




------------------------------------------------------------------------
*De:* tewues <tew...@onet.eu>
*Enviado:* miércoles, 17 de enero de 2018 14:45:57
*Para:* fail2ban-users@lists.sourceforge.net
*Asunto:* Re: [Fail2ban-users] Enable multiple jails
Emanuel.



Your regex should look like below:

   failregex = ^.*\[<HOST>\].*Incorrect authentication data.*
or
failregex = ^.*fixed_login authenticator failed.*\[<HOST>\].*


Best regards.
Tom



On 17/01/18 18:10, Bill Shirley wrote:
an 17 11:38:59 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication data (set_id=s...@dattaweb.com <mailto:set_id=s...@dattaweb.com>) 

In the file maillog-custom.conf

failregex =  \[<HOST>\]:\d+: 535 Incorrect authentication data





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to