Hi!
My postfix-sasl jail is ignoring the bantime which is set to 3600
seconds and unbans the host after two seconds instead ...all other jails
are working properly.
# fail2ban-client -d | grep postfix-sasl | grep bantime
['set', 'postfix-sasl', 'bantime', '3600']
# tail -n 40 /var/log/fail2ban.log | grep postfix-sasl
2018-06-04 11:36:33,577 fail2ban.server [5005]: INFO Jail 'postfix-sasl'
reloaded
2018-06-04 11:44:24,026 fail2ban.filter [5005]: INFO [postfix-sasl]
Found 5.101.40.66 - 2018-06-04 08:44:24
2018-06-04 12:01:51,528 fail2ban.filter [5005]: INFO [postfix-sasl]
Found 5.101.40.66 - 2018-06-04 09:01:51
2018-06-04 12:19:12,618 fail2ban.filter [5005]: INFO [postfix-sasl]
Found 5.101.40.66 - 2018-06-04 09:19:12
2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Ban 5.101.40.66
2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Unban 5.101.40.66
Why is it that host unbanned as soon as after two seconds?
Any and all help is appreciated.
# fail2ban-client -V
Fail2Ban v0.10.2
# cat fail2ban.log | grep postfix-sasl | egrep '(Ban|Unban)'
2018-06-04 07:13:29,916 fail2ban.actions [26028]: NOTICE
[postfix-sasl]Ban 5.101.40.66
2018-06-04 07:13:31,934 fail2ban.actions [26028]: NOTICE
[postfix-sasl]Unban 5.101.40.66
2018-06-04 09:23:59,671 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Ban 5.101.40.66
2018-06-04 09:24:01,696 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Unban 5.101.40.66
2018-06-04 10:51:39,299 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Ban 5.101.40.66
2018-06-04 10:51:41,314 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Unban 5.101.40.66
2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Ban 5.101.40.66
2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Unban 5.101.40.66
2018-06-04 13:46:11,616 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Ban 5.101.40.66
2018-06-04 13:46:13,633 fail2ban.actions [5005]: NOTICE [postfix-sasl]
Unban 5.101.40.66
# fail2ban-client -d | grep postfix-sasl
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'prefregex',
'^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[
*\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID
\\d+ \\S+\\]\\s+)?warning: <F-CONTENT>.+</F-CONTENT>$']
['set', 'postfix-sasl', 'addfailregex', '^[^[]*\\[<HOST>\\](?::\\d+)?:
SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
Connection lost to authentication server| Invalid authentication
mechanism)']
['set', 'postfix-sasl', 'datepattern', '{^LN-BEG}']
['set', 'postfix-sasl', 'addjournalmatch',
'_SYSTEMD_UNIT=postfix.service']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.log', 'head']
['set', 'postfix-sasl', 'logencoding', 'auto']
['set', 'postfix-sasl', 'maxretry', 5]
['set', 'postfix-sasl', 'findtime', '604800']
['set', 'postfix-sasl', 'bantime', '3600']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
['multi-set', 'postfix-sasl', 'action', 'iptables-multiport',
[['actionstart', '<iptables> -N f2b-postfix-sasl\n<iptables> -A
f2b-postfix-sasl -j RETURN\n<iptables> -I INPUT -p tcp -m multiport
--dports smtp,465,submission,imap,imaps,pop3,pop3s -j
f2b-postfix-sasl'], ['actionstop', '<iptables> -D INPUT -p tcp -m
multiport --dports smtp,465,submission,imap,imaps,pop3,pop3s -j
f2b-postfix-sasl\n<iptables> -F f2b-postfix-sasl\n<iptables> -X
f2b-postfix-sasl'], ['actionflush', '<iptables> -F f2b-postfix-sasl'],
['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-postfix-sasl[
\\t]'"], ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s <ip> -j
<blocktype>'], ['actionunban', '<iptables> -D f2b-postfix-sasl -s <ip>
-j <blocktype>'], ['name', 'postfix-sasl'], ['bantime', '3600'],
['port', 'smtp,465,submission,imap,imaps,pop3,pop3s'], ['protocol',
'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'],
['blocktype', 'REJECT --reject-with icmp-port-unreachable'],
['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables
<lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with
icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables
<lockingopt>']]]
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
