What OS are you running fail2ban on? Just curious On Sat, Oct 17, 2020 at 3:28 AM <fail2...@fibu-consult.dk> wrote:
> Hi. > > What about Your 'Findtime' settings in Your jail.conf or jail.local > > /Finn > > Den 17-10-2020 kl. 08:14 skrev Dominic Raferd: > > On Sat, 17 Oct 2020 at 02:40, Dan Egli <d...@newideatest.site> wrote: > >> > >> On 10/16/2020 11:39 AM, Dan Egli wrote: > >>> Okay. fail2ban-regex finally recognised something. The string I > >>> searched for was: > >>> H=(.*) <HOST> .* AUTH command used when not advertised > >>> > >>> I'll try plugging that into my exim.local and see how it goes > >>> > >>> > >> > >> Now fail2ban sees it, but it refuses to ACT on it! > >> > >> # grep 103.154.241.29 fail2ban.log -c > >> 113 > >> > >> Wait a minute, 113 times, and yet it has never banned them!? > >> # grep "Ban 103.154.241.29" fail2ban.log -c > >> 0 > >> > >> What on earth happened here? the exim.local filter has a maxtries of > >> 5!!! Not 500! > >> > >> ---- [ Cut here ] --- > >> [INCLUDES] > >> > >> before = exim-common.conf > >> > >> [Definition] > >> failregex = <HOST> locally blacklisted for a bruteforce > >> H=(.*) <HOST> .* AUTH command used when not advertised > >> datepattern = %%Y-%%m-%%d %%H:%%M:%%S > >> maxtries = 5 > >> mdre-normal = > >> mode = normal > >> ignoreregex = > >> --- [ Cut Here ] --- > >> > >> I did strip out comments for brevity. So, did I do something wrong or is > >> something funky going on here? > > > > Have you enabled exim in your jail.local? e.g. > > /etc/fail2ban/jail.local: > > ... > > [exim] > > enabled = true > > ... > > > > (and then reloaded fail2ban e.g. systemctl reload-or-restart fail2ban) > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Steve Murphy ParseTree Corporation ✉ murf at parsetree dot com
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
