Possibly stale jail that needed a fail2ban reload? Just speculation. Ron Sent from Mail for Windows 10 From: Dan Egli I don't know what happened, but lately it seems like fail2ban is doing NOTHING. As an example, I have the following filter, among others, in my exim.local.conf file: fixed_login_exim4u authenticator failed for .* <HOST> The timing is set for a four HOUR scan and to block on 3 or more tries: maxtries = 3 findtime = 4h nd yet still I was looking at a log today and found DOZENS of entries like this: 2020-12-19 22:31:14.757 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=phi...@newideatest.site) 2020-12-19 22:31:15.757 SMTP connection from (User) [212.70.149.70] I=[209.141.58.25]:587 closed by QUIT 2020-12-19 22:33:06.946 SMTP connection from [212.70.149.70] I=[209.141.58.25]:587 (TCP/IP connection count = 1) 2020-12-19 22:33:11.790 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=phil...@newideatest.site) 2020-12-19 22:33:12.768 SMTP connection from (User) [212.70.149.70] I=[209.141.58.25]:587 closed by QUIT 2020-12-19 22:35:04.094 SMTP connection from [212.70.149.70] I=[209.141.58.25]:587 (TCP/IP connection count = 1) 2020-12-19 22:35:08.977 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=ph...@newideatest.site) 2020-12-19 22:35:09.965 SMTP connection from (User) [212.70.149.70] I=[209.141.58.25]:587 closed by QUIT 2020-12-19 22:37:01.977 SMTP connection from [212.70.149.70] I=[209.141.58.25]:587 (TCP/IP connection count = 1) 2020-12-19 22:37:05.785 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=p...@newideatest.site) 2020-12-19 22:37:06.793 SMTP connection from (User) [212.70.149.70] I=[209.141.58.25]:587 closed by QUIT 2020-12-19 22:38:59.678 SMTP connection from [212.70.149.70] I=[209.141.58.25]:587 (TCP/IP connection count = 1) 2020-12-19 22:39:04.321 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=p...@newideatest.site) 2020-12-19 22:39:05.172 SMTP connection from (User) [212.70.149.70] I=[209.141.58.25]:587 closed by QUIT 2020-12-19 22:40:56.753 SMTP connection from [212.70.149.70] I=[209.141.58.25]:587 (TCP/IP connection count = 1) 2020-12-19 22:41:01.051 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=p...@newideatest.site) At first I wondered if the .* was screwing things up, so I created an additional filter: fixed_login_exim4u authenticator failed for (User) <HOST> Then I restarted fail2ban, and watched the same attacker come in two more times, with no acknowledgement from fail2ban. I finally MANUALLY added him to the recidve ban last in iptables, so that IP won't bother me anymore. Afterwards, I did a quick grep and before I finally banned him he had ALMOST 700 attempts at getting in. I shouldn't have to manually block this idiot. Why on earth isn't fail2ban catching this and blocking the person? -- Dan Egli From my Test Server _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
