I could try and integrate conntrack, but it's not built into fail2ban, which is bothersome. Sendmail is an unusual daemon in that it permits a connection to remain open for a while. fail2ban does a great job with things that poke around ssh, for example. But watching a rotating batch of IP's in the same subnet pound my sendmail hunting for users, each getting long term bans in recidive while they pound away, is bothersome. Fail2ban should be more explicit in that it doesn't kill existing connections, only new ones. And you kind of think it would ban existing connections.
Or if it was an option to make it more aggressive, then add a banaction that includes it. As far as I can tell, I'd have to do all of that in my own .local file. On Mon, May 3, 2021 at 3:07 AM Nick Howitt <n...@howitts.co.uk> wrote: > I think you have to use "conntrack" to dump existing connections from > the firewall. > > On 03/05/2021 01:57, Kenneth Porter wrote: > > > > --On Sunday, May 02, 2021 6:57 PM -0400 Clive Jacques > > <westriverp...@gmail.com> wrote: > > > >> fail2ban notices the failures and > >> bans the offending IP in sendmail-reject and shortly thereafter in > >> recidive, but the established connection is not dumped and they keep > >> testing user names. > > > > What action are you using? Which firewall? What version/package of > > fail2ban and OS? > > > > A known issue with some versions of firewalld was that only new > > connections were banned. > > > > I suggest using iptables-save to dump your firewall rules to a file, > > posting it on a pastebin site, and sharing the pastebin link here for > > review. The pastebin means you can delete the file so it won't be > > archived in the list archives, and it won't result in a huge mailing > > list message. > > > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
