Delsio, perhaps we can take this off the list - email me your qmail-smtp.conf from filters.d and your jail.conf. Once we find what was up, we can still let everyone on the list know the problem & solution Also, if you could add a sample of your /var/log/qmail/smtp/current for me to test with?
Thanks, Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 14:10 schrieb Délsio Cabá: > Hi Martin, > > Instead of applying your patch i just downloaded the latest snapshop, which > already has that patch and the behavior is exactly the same: the regex gets > the hit but it never blocks the IP. > > [delsio@ns fail2ban-0.8.4-SVN]# tail -f /var/log/fail2ban.log > 2011-05-06 14:07:43,587 fail2ban.actions: INFO Set banTime = 60000 > 2011-05-06 14:07:43,597 fail2ban.jail : INFO Jail 'qmail' started > 2011-05-06 14:07:43,602 fail2ban.jail : INFO Jail 'ssh-iptables' started > 2011-05-06 14:07:43,607 fail2ban.jail : INFO Jail 'password-fail' started > 2011-05-06 14:07:43,616 fail2ban.jail : INFO Jail 'username-notfound' > started > 2011-05-06 14:07:43,629 fail2ban.jail : INFO Jail 'qmail-smtp' started > 2011-05-06 14:07:43,627 fail2ban.actions.action: ERROR iptables -N > fail2ban-SSH > iptables -A fail2ban-SSH -j RETURN > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 200 > 2011-05-06 14:07:43,653 fail2ban.jail : INFO Jail 'named-refused-tcp' > started > 2011-05-06 14:08:05,672 fail2ban.actions: WARNING [named-refused-tcp] Ban > 200.184.124.226 > 2011-05-06 14:08:05,682 fail2ban.actions: WARNING [named-refused-tcp] Ban > 76.76.11.241 > 2011-05-06 14:08:05,693 fail2ban.actions: WARNING [named-refused-tcp] Ban > 67.228.118.3 > > [delsio@ns etc]# fail2ban-client status qmail-smtp > Status for the jail: qmail-smtp > |- filter > | |- File list: /var/log/qmail/smtp/current > | |- Currently failed: 0 > | `- Total failed: 0 > `- action > |- Currently banned: 0 > | `- IP list: > `- Total banned: 0 > > > Any other recommendation? > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it> > OK, it definitely is the patch I sent - fail2ban fails to recognize the local > time zone you use. This causes times to never fall into the specified period > you use for checking if the attempt occurs multiple times. > Once you replace > date = list(time.gmtime(int(seconds_since_epoch, 16))) > with > date = list(time.localtime(int(seconds_since_epoch, 16))) > > in /usr/share/fail2ban/server/datetemplate.py (near end of file), all should > be fine. > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 10:17 schrieb Délsio Cabá: > > > Hi, > > > > Same behavior, it does get some hits, but it doesn't ban. Other fail2ban > > filters are working except the one from qmail. > > > > fail2ban-regex /var/log/qmail/smtp/current > > /etc/fail2ban/filter.d/qmail-smtp.conf > > > > Date template hits: > > 0 hit(s): MONTH Day Hour:Minute:Second > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > 0 hit(s): Year/Month/Day Hour:Minute:Second > > 0 hit(s): Day/Month/Year Hour:Minute:Second > > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > 0 hit(s): Month/Day/Year:Hour:Minute:Second > > 0 hit(s): Year-Month-Day Hour:Minute:Second > > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > 0 hit(s): Day-Month-Year Hour:Minute:Second > > 6347 hit(s): TAI64N > > 0 hit(s): Epoch > > 0 hit(s): ISO 8601 > > 0 hit(s): Hour:Minute:Second > > 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > > > Success, the total number of match is 168 > > > > > > [delsio@ns ~]# fail2ban-client status qmail-smtp > > Status for the jail: qmail-smtp > > |- filter > > | |- File list: /var/log/qmail/smtp/current > > | |- Currently failed: 0 > > | `- Total failed: 0 > > `- action > > |- Currently banned: 0 > > | `- IP list: > > `- Total banned: 0 > > > > > > 2011/5/6 Toma Bogdan <tbog...@direkt.ro> > > On 5/6/2011 9:10 AM, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt <> : > >> sender accepted > >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt > >> <m...@zicel.ru> : invalid rcpt MX domain > >> .. > >> @400000004dc3905511aba4bc CHKUSER accepted sender: from > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt <> > >> : sender accepted > >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt > >> <mad...@usc.es> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I have > >> tried this: > >> "<HOST>\> rcpt \S+ : client not allowed to relay$" > >> > >> But it doesn't seam to be working as expected: > >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client not > >> allowed to relay" > >> ... > >> Date template hits: > >> 0 hit(s): MONTH Day Hour:Minute:Second > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > >> 1184 hit(s): TAI64N > >> 0 hit(s): Epoch > >> 0 hit(s): ISO 8601 > >> 0 hit(s): Hour:Minute:Second > >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > >> > >> Any help would be very appreciated > >> Thanks! > > try this > > failregex = CHKUSER .* <\w*:\w*:<HOST>> .* : client not allowed to relay$ > > > > check it with : > > fail2ban-regex /var/log/qmail/smtp/current > > /etc/fail2ban/filters/qmail-smtp-filter.conf > > > > > > -- > > T. Bogdan > > Network/Systems Security > > > > www.direkt.ro > > > > > > > > > > > --------------------------------------------------------------------------------- > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > --------------------------------------------------------------------------------- > Please visit qmailtoaster.com for the latest news, updates, and packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
