On 3/16/2018 1:37 AM, Sophie Loewenthal wrote:

> fail2ban.log 2018-03-15 19:12:36,066 fail2ban.actions
> [12742]: ERROR   Failed to execute unban jail 'postfix-auth' action 
> 'iptables-multiport' info '{'matches': 'Mar 14 21:01:44 mx10 
> postfix/smtpd[29359]: ...
connection after AUTH from unknown[60.163.89.128]', 'failures': 10,
'time': 1521140815.757546, 'ip': '60.163.89.128'}': Error unbanning
60.163.89.128
> 2018-03-15 19:13:08,331 fail2ban.action         [13158]: ERROR 
> iptables -w -D INPUT -p tcp -m multiport --dports 
> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j 
> f2b-postfix
...
> 2018-03-15 19:13:08,331 fail2ban.actions        [13158]: ERROR Failed
> to stop jail 'postfix-auth' action 'iptables-multiport': Error 
> stopping action
That's at least 2 different problems:

1.  What appears to be failure to unban an IP address (bantime is up)...
Strange that the log doesn't show the actual error message, it usually
does.  I would start by looking at `iptables -nL`, or specifically for
that address `iptables -nL | grep 60.163.89.128` to see if it is still
there (in f2b-postfix).

If it is, then run the command that the log says it failed, the
`iptables -w -D INPUT -p tcp -m multiport --dports
http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix`.
 But this is a weird command, it doesn't include the IP, so what's it
for? deleting the jail?  Yes, that's what its doing, from the INPUT
chain it deletes f2b-postfix (side note: I use f2b-postfix-sasl only, so
I don't even have this jail, and don't need more than one for postfix).

2.  The second problem shown is that f2b could not stop the jail (which
it tries after too many unban failures).  No idea what's going on there,
perhaps stop implies delete the jail in iptables, and its all the same
problem.

> I had some though; The unbans are for IP addresses detected on March 
> 14, two days earlier.  However I only enabled the chain last night,
> so think this strange that it would unban an IP from before it was
> enabled.

That's normal, f2b uses 'findtime' to look back in the log.
-- 
René Berber

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to