I don't know what happened, but lately it seems like fail2ban is doing
NOTHING. As an example, I have the following filter, among others, in my
exim.local.conf file:
fixed_login_exim4u authenticator failed for .* <HOST>
The timing is set for a four HOUR scan and to block on 3 or more tries:
maxtries = 3
findtime = 4h
nd yet still I was looking at a log today and found DOZENS of entries
like this:
2020-12-19 22:31:14.757 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=phi...@newideatest.site)
2020-12-19 22:31:15.757 SMTP connection from (User) [212.70.149.70]
I=[209.141.58.25]:587 closed by QUIT
2020-12-19 22:33:06.946 SMTP connection from [212.70.149.70]
I=[209.141.58.25]:587 (TCP/IP connection count = 1)
2020-12-19 22:33:11.790 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=phil...@newideatest.site)
2020-12-19 22:33:12.768 SMTP connection from (User) [212.70.149.70]
I=[209.141.58.25]:587 closed by QUIT
2020-12-19 22:35:04.094 SMTP connection from [212.70.149.70]
I=[209.141.58.25]:587 (TCP/IP connection count = 1)
2020-12-19 22:35:08.977 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=ph...@newideatest.site)
2020-12-19 22:35:09.965 SMTP connection from (User) [212.70.149.70]
I=[209.141.58.25]:587 closed by QUIT
2020-12-19 22:37:01.977 SMTP connection from [212.70.149.70]
I=[209.141.58.25]:587 (TCP/IP connection count = 1)
2020-12-19 22:37:05.785 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=p...@newideatest.site)
2020-12-19 22:37:06.793 SMTP connection from (User) [212.70.149.70]
I=[209.141.58.25]:587 closed by QUIT
2020-12-19 22:38:59.678 SMTP connection from [212.70.149.70]
I=[209.141.58.25]:587 (TCP/IP connection count = 1)
2020-12-19 22:39:04.321 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=p...@newideatest.site)
2020-12-19 22:39:05.172 SMTP connection from (User) [212.70.149.70]
I=[209.141.58.25]:587 closed by QUIT
2020-12-19 22:40:56.753 SMTP connection from [212.70.149.70]
I=[209.141.58.25]:587 (TCP/IP connection count = 1)
2020-12-19 22:41:01.051 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect
authentication data (set_id=p...@newideatest.site)
At first I wondered if the .* was screwing things up, so I created an
additional filter:
fixed_login_exim4u authenticator failed for (User) <HOST>
Then I restarted fail2ban, and watched the same attacker come in two
more times, with no acknowledgement from fail2ban. I finally MANUALLY
added him to the recidve ban last in iptables, so that IP won't bother
me anymore. Afterwards, I did a quick grep and before I finally banned
him he had ALMOST 700 attempts at getting in. I shouldn't have to
manually block this idiot. Why on earth isn't fail2ban catching this and
blocking the person?
--
Dan Egli
From my Test Server
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
