On 03/05/2021 07:49, Nick Howitt wrote:
On 03/05/2021 01:57, Kenneth Porter wrote:
--On Sunday, May 02, 2021 6:57 PM -0400 Clive Jacques
<westriverp...@gmail.com> wrote:
fail2ban notices the failures and
bans the offending IP in sendmail-reject and shortly thereafter in
recidive, but the established connection is not dumped and they keep
testing user names.
What action are you using? Which firewall? What version/package of
fail2ban and OS?
A known issue with some versions of firewalld was that only new
connections were banned.
I suggest using iptables-save to dump your firewall rules to a file,
posting it on a pastebin site, and sharing the pastebin link here for
review. The pastebin means you can delete the file so it won't be
archived in the list archives, and it won't result in a huge mailing
list message.
>
> I think you have to use "conntrack" to dump existing connections from
> the firewall.
>
Also be a little wary of interpreting these logs. A whole load of
connections may be created over a short period of time, but they will
take a while to timeout and may timeout after f2b has triggered on the
first messages but once f2b has triggered, new connections are blocked.
This is when you see the "already banned" messages from f2b.
I am not fully familiar with the SMTP protocol, but can you do multiple
authentication attempts with different users on the same connection? I
would not expect have thought so.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
