I could try and integrate conntrack, but it's not built into fail2ban,
which is bothersome.
Sendmail is an unusual daemon in that it permits a connection to remain
open for a while.  fail2ban does a great job with things that poke around
ssh, for example.  But watching a rotating batch of IP's in the same subnet
pound my sendmail hunting for users, each getting long term bans in
recidive while they pound away, is bothersome.  Fail2ban should be more
explicit in that it doesn't kill existing connections, only new ones.  And
you kind of think it would ban existing connections.

Or if it was an option to make it more aggressive, then add a banaction
that includes it.  As far as I can tell, I'd have to do all of that in my
own .local file.

On Mon, May 3, 2021 at 3:07 AM Nick Howitt <n...@howitts.co.uk> wrote:

> I think you have to use "conntrack" to dump existing connections from
> the firewall.
>
> On 03/05/2021 01:57, Kenneth Porter wrote:
> >
> > --On Sunday, May 02, 2021 6:57 PM -0400 Clive Jacques
> > <westriverp...@gmail.com> wrote:
> >
> >> fail2ban notices the failures and
> >> bans the offending IP in sendmail-reject and shortly thereafter in
> >> recidive, but the established connection is not dumped and they keep
> >> testing user names.
> >
> > What action are you using? Which firewall? What version/package of
> > fail2ban and OS?
> >
> > A known issue with some versions of firewalld was that only new
> > connections were banned.
> >
> > I suggest using iptables-save to dump your firewall rules to a file,
> > posting it on a pastebin site, and sharing the pastebin link here for
> > review. The pastebin means you can delete the file so it won't be
> > archived in the list archives, and it won't result in a huge mailing
> > list message.
> >
> >
> >
> >
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to