On 16 Mar 2018 08:43, "Sophie Loewenthal" <sop...@klunky.co.uk> wrote:
P.S For reference, the current f2b chain contains :
Chain f2b-postfix (2 references)
target prot opt source destination
REJECT all -- 60.163.89.128 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 199.168.136.102 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 190.223.59.18 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 190.128.186.98 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.148.86.118 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.148.79.91 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 183.148.74.25 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 125.126.164.34 0.0.0.0/0 reject-with
icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
I had some though; The unbans are for IP addresses detected on March 14,
two days earlier. However I only enabled the chain last night, so think
this strange that it would unban an IP from before it was enabled.
> On 16 Mar 2018, at 08:37, Sophie Loewenthal <sop...@klunky.co.uk> wrote:
>
> Good morning,
>
> This is interesting ( for me ).
>
> I read this in my logs after enabling postfix-auth on Debian 9.2
>
>
> fail2ban.log
> 2018-03-15 19:12:36,066 fail2ban.actions [12742]: ERROR Failed
to execute unban jail 'postfix-auth' action 'iptables-multiport' info
'{'matches': 'Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection
after AUTH from unknown[60.163.89.128]Mar 14 21:01:44 mx10
postfix/smtpd[29363]: lost connection after AUTH from
unknown[60.163.89.128]Mar 14 21:01:44 mx10 postfix/smtpd[29361]: lost
connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10
postfix/smtpd[29359]: lost connection after AUTH from
unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29363]: lost
connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10
postfix/smtpd[29361]: lost connection after AUTH from
unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29364]: lost
connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10
postfix/smtpd[29361]: lost connection after AUTH from
unknown[60.163.89.128]Mar 14 21:01:46 mx10 postfix/smtpd[29363]: lost
connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10
postfix/smtpd[29359]: lost connection after AUTH from
unknown[60.163.89.128]', 'failures': 10, 'time': 1521140815.757546, 'ip':
'60.163.89.128'}': Error unbanning 60.163.89.128
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables
-w -D INPUT -p tcp -m multiport --dports
http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
-j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables
-w -D INPUT -p tcp -m multiport --dports
http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
-j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables
-w -D INPUT -p tcp -m multiport --dports
http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
-j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.actions [13158]: ERROR Failed
to stop jail 'postfix-auth' action 'iptables-multiport': Error stopping
action
>
>
> An example from /var/log/mail.log:
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection after AUTH
from unknown[60.163.89.128]
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: disconnect from
unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: connect from
unknown[60.163.89.128]
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: lost connection after AUTH
from unknown[60.163.89.128]
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: disconnect from
unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: connect from
unknown[60.163.89.128]
> Mar 14 21:01:46 mx10 postfix/smtpd[29359]: lost connection after AUTH
from unknown[60.163.89.128]
> Mar 14 21:01:46 mx10 postfix/smtpd[29359]: disconnect from
unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
>
>
> fail2ban version 0.9.6-2
>
>
> jail.local:
> [postfix]
> enabled = true
> logpath = /var/log/mail.log
> # mail.log because I don’t log to mail.warn. Everything in one file to
see all the problems in one place.
>
> jail.conf
> [postfix]
> port = smtp,465,submission
> logpath = %(postfix_log)s
> backend = %(postfix_backend)s
>
>
>
> # fail2ban-client status postfix
> Status for the jail: postfix
> |- Filter
> | |- Currently failed: 0
> | |- Total failed: 79
> | `- File list: /var/log/mail.log
> `- Actions
> |- Currently banned: 0
> |- Total banned: 0
> `- Banned IP li...
You seem to be confusing jails postfix and postfix-auth ?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users