I decided that I didn't need to figure out whether fail2ban or iptables (not using firewalld or ufw) was working together correctly for sendmail. It seems to work fine on other services. For example, I did an ssh session from another machine, banned the IP and then watched the established session die. My conclusion is that it's partially a terminology issue. "Killing" a TCP connection usually means using TCP commands to shut it down. That's not what I really want. I'm not interested in being polite about it. So when folks say that iptables can't "kill" an active session, that's true. At least, not the TCP way. My fiddling around demonstrated that *if* iptables does *not* have a 1st position rule permitting established connections (which some setups do, apparently), then banning the remote IP associated with a particular session will effectively terminate the connection.
Why that doesn't appear to be working for sendmail is beyond my understanding right now. Perhaps it's a timing thing. I lost interest in trying to configure fail2ban or iptables to fix it. I simply added the 4 offending IP's to sendmail's access database with a REJECT instruction. The dictionary attacks weren't going anywhere anyway because these relaying IP's were listed at spamhaus, but it irritated me that they chewed up resources and bandwidth. I'm going to keep an eye on it, though. On Mon, May 3, 2021 at 7:08 PM Kenneth Porter <sh...@sewingwitch.com> wrote: > --On Monday, May 03, 2021 5:15 PM -0400 Clive Jacques > <westriverp...@gmail.com> wrote: > > > Fail2ban should be more > > explicit in that it doesn't kill existing connections, only new ones. > And > > you kind of think it would ban existing connections. > > That's not really fail2ban's fault. I assume you're using firewalld, and > it > doesn't offer a simple way to insert the ban before firewalld's internal > rule that allows all packets in the connection tracker. To stop an > existing > connection, you have to ban packets before they hit the tracker rule in > iptables' INPUT chain. > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
