Re: [Fail2ban-users] Bantime 3600 seconds ignored and unban after 2

Tony Collins Mon, 04 Jun 2018 07:18:00 -0700

You are welcome!

It is so nice when a frustrating problem has a simple solution!


Tony

On Mon, 4 Jun 2018 at 15:13, Henri Reinikainen <he...@attraction.fi> wrote:

> Good catch! My logs are in UTC and fail2ban uses the local timezone.
> Adding logtimezeone to jail.conf fixes my problem. Thank you!
>
> [DEFAULT]
> logtimezone = UTC
>
> Tony Collins kirjoitti 2018-06-04 15:44:
> > Notice the time in the log - at 12:19, an entry for 5.101.40.66 was
> > found in the log at "09:19". It's banned from 09:19 for 60 minutes,
> > meaning it was due to be be unbanned at 10:19
> >
> > But it wasn't discovered until 12:19, which is past 10:19 so it unbans
> > it.
> >
> > Either the time that it is writing the logs is wrong or the time it's
> > reading the logs is wrong.
> >
> > I'm not sure I've explained that very well, but it's related to the
> > conflict of several hours in your log file
> >
> > On Mon, 4 Jun 2018 at 12:54, Henri Reinikainen <he...@attraction.fi>
> > wrote:
> >
> >> Hi!
> >>
> >> My postfix-sasl jail is ignoring the bantime which is set to 3600
> >> seconds and unbans the host after two seconds instead ...all other
> >> jails
> >> are working properly.
> >>
> >> # fail2ban-client -d | grep postfix-sasl | grep bantime
> >> ['set', 'postfix-sasl', 'bantime', '3600']
> >>
> >> # tail -n 40 /var/log/fail2ban.log | grep postfix-sasl
> >> 2018-06-04 11:36:33,577 fail2ban.server [5005]: INFO Jail
> >> 'postfix-sasl'
> >> reloaded
> >> 2018-06-04 11:44:24,026 fail2ban.filter [5005]: INFO [postfix-sasl]
> >> Found 5.101.40.66 - 2018-06-04 08:44:24
> >> 2018-06-04 12:01:51,528 fail2ban.filter [5005]: INFO [postfix-sasl]
> >> Found 5.101.40.66 - 2018-06-04 09:01:51
> >> 2018-06-04 12:19:12,618 fail2ban.filter [5005]: INFO [postfix-sasl]
> >> Found 5.101.40.66 - 2018-06-04 09:19:12
> >> 2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Ban 5.101.40.66
> >> 2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Unban 5.101.40.66
> >>
> >> Why is it that host unbanned as soon as after two seconds?
> >> Any and all help is appreciated.
> >>
> >> # fail2ban-client -V
> >> Fail2Ban v0.10.2
> >>
> >> # cat fail2ban.log | grep postfix-sasl | egrep '(Ban|Unban)'
> >> 2018-06-04 07:13:29,916 fail2ban.actions [26028]: NOTICE
> >> [postfix-sasl]Ban 5.101.40.66
> >> 2018-06-04 07:13:31,934 fail2ban.actions [26028]: NOTICE
> >> [postfix-sasl]Unban 5.101.40.66
> >> 2018-06-04 09:23:59,671 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Ban 5.101.40.66
> >> 2018-06-04 09:24:01,696 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Unban 5.101.40.66
> >> 2018-06-04 10:51:39,299 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Ban 5.101.40.66
> >> 2018-06-04 10:51:41,314 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Unban 5.101.40.66
> >> 2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Ban 5.101.40.66
> >> 2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Unban 5.101.40.66
> >> 2018-06-04 13:46:11,616 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Ban 5.101.40.66
> >> 2018-06-04 13:46:13,633 fail2ban.actions [5005]: NOTICE
> >> [postfix-sasl]
> >> Unban 5.101.40.66
> >>
> >> # fail2ban-client -d | grep postfix-sasl
> >> ['add', 'postfix-sasl', 'auto']
> >> ['set', 'postfix-sasl', 'prefregex',
> >> '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[
> >>
> >>
> >
> *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID
> >>
> >> \\d+ \\S+\\]\\s+)?warning: <F-CONTENT>.+</F-CONTENT>$']
> >> ['set', 'postfix-sasl', 'addfailregex',
> >> '^[^[]*\\[<HOST>\\](?::\\d+)?:
> >> SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
> >>
> >> Connection lost to authentication server| Invalid authentication
> >> mechanism)']
> >> ['set', 'postfix-sasl', 'datepattern', '{^LN-BEG}']
> >> ['set', 'postfix-sasl', 'addjournalmatch',
> >> '_SYSTEMD_UNIT=postfix.service']
> >> ['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.log', 'head']
> >> ['set', 'postfix-sasl', 'logencoding', 'auto']
> >> ['set', 'postfix-sasl', 'maxretry', 5]
> >> ['set', 'postfix-sasl', 'findtime', '604800']
> >> ['set', 'postfix-sasl', 'bantime', '3600']
> >> ['set', 'postfix-sasl', 'usedns', 'warn']
> >> ['set', 'postfix-sasl', 'ignorecommand', '']
> >> ['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
> >> ['multi-set', 'postfix-sasl', 'action', 'iptables-multiport',
> >> [['actionstart', '<iptables> -N f2b-postfix-sasl\n<iptables> -A
> >> f2b-postfix-sasl -j RETURN\n<iptables> -I INPUT -p tcp -m multiport
> >> --dports smtp,465,submission,imap,imaps,pop3,pop3s -j
> >> f2b-postfix-sasl'], ['actionstop', '<iptables> -D INPUT -p tcp -m
> >> multiport --dports smtp,465,submission,imap,imaps,pop3,pop3s -j
> >> f2b-postfix-sasl\n<iptables> -F f2b-postfix-sasl\n<iptables> -X
> >> f2b-postfix-sasl'], ['actionflush', '<iptables> -F
> >> f2b-postfix-sasl'],
> >> ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-postfix-sasl[
> >>
> >> \\t]'"], ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s <ip> -j
> >> <blocktype>'], ['actionunban', '<iptables> -D f2b-postfix-sasl -s
> >> <ip>
> >> -j <blocktype>'], ['name', 'postfix-sasl'], ['bantime', '3600'],
> >> ['port', 'smtp,465,submission,imap,imaps,pop3,pop3s'], ['protocol',
> >> 'tcp'], ['chain', '<known/chain>'], ['actname',
> >> 'iptables-multiport'],
> >> ['blocktype', 'REJECT --reject-with icmp-port-unreachable'],
> >> ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables',
> >> 'iptables
> >> <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with
> >> icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables
> >> <lockingopt>']]]
> >>
> >>
> >
> ------------------------------------------------------------------------------
> >> Check out the vibrant tech community on one of the world's most
> >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >> _______________________________________________
> >> Fail2ban-users mailing list
> >> Fail2ban-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >  --
> > -- Tony Collins
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
-- 
-- Tony Collins

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Bantime 3600 seconds ignored and unban after 2

Reply via email to