-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/22/2017 04:42 PM, Nigel Aves wrote: > Is there a way of "knowing" that ipsets are working correctly? > > I've looked through the dump file and that does not seem to contain > the information I need. The reason I ask, is that I have changed > fail2ban to use ipsets to pass the information across to shorewall. > The reason I have done this is because the old method stopped > working after implementing "blacklist if connection attempt on > unused port" > > 2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO > [postfix-sasl] Found 94.102.60.172 2017-02-22 16:57:33,148 > fail2ban.filter [5721]: INFO [postfix-sasl] Found > 89.248.171.234 2017-02-22 16:57:54,557 fail2ban.filter > [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22 > 17:03:52,523 fail2ban.filter [5721]: INFO [postfix-sasl] > Found 185.29.9.175 2017-02-22 17:04:46,613 fail2ban.filter > [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22 > 17:04:47,222 fail2ban.actions [5721]: NOTICE [postfix-sasl] > 91.200.12.121 already banned 2017-02-22 17:11:38,149 > fail2ban.filter [5721]: INFO [postfix-sasl] Found > 91.200.12.121 2017-02-22 17:18:33,651 fail2ban.filter > [5721]: INFO [postfix-sasl] Found 91.200.12.121 > > I have tried two different methods in the rules file. > > DROP:info net:+f2b $FW >> this was from a tutorial I discovered
That is the correct test, if fail2ban is inserting addresses into set f2b. > > and > > ADD(f2b:src):info net $FW >> this is a modified version of > Tom's "blacklist if connection ...." Incorrect. > > > I have created the ipset all OK and get IPs > > # ipset list f2b Name: f2b Type: hash:ip Revision: 1 Header: family > inet hashsize 1024 maxelem 65536 timeout 300 Size in memory: 20048 > References: 1 Members: 91.200.12.121 timeout 83162 95.211.209.158 > timeout 83163 87.241.171.225 timeout 290 124.228.112.30 timeout > 227 181.120.35.243 timeout 78 146.0.235.55 timeout 237 > > If anyone could point me in the right direct, it would really help. > I'm loosing too much hair scratching my head! > The packet count on the new DROP rule will increment (and a log message will be generated) when there is a match on the f2b ipset. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYrynnAAoJEJbms/JCOk0QnRcP/0AvzucG/0KdPDgKs3TFnR8k GJzHR/POlHWipXZdKyiw7kfw8GGklQnc7E2VLZi0RuWaWnOE9fLGeYN7foHiwHq4 /dAy8CY5IfSyEkSx6q+4tBKv4P257zcVsGO91UOJ59FA+lw+HmMBOZakdjotsK2l kOZ2hA6tdTnpKLKF0Nc62ksqyPnBvipQsQ3pVubZG6MLPWLqvgg0IepuhWhhP1FD vWQ5SuYguqJBao70Hp6KOS61QCUjPttwJGyYf4S2QrX5Phh0NOTht3ERyccZUi/A Jav2ddD1Jytokx7j1LK7+h+S8rzx8ndOSrkbvcaK6s9tS7nnjDPTy/wIM4ek29ZA K4NdFbC0cUqlpFNH9/RKphmHYxdfqmURgqJqnrHdS5no9xit3p4di30WSnbzG8wh heojwFcr5x2G679oHknxVjT0NzupVpLo1kpxmbpIAPVYM7lmNhrKtkm5A5ShD+ug dc+vGUAp9umwxIVDri/syd3MQRMv2dazZi4F90Pg9kN1XH4Aep+5f0hSnFcSc5N4 Q1aXdBCxZX1BxG6WnAXiym9YCtNBGNIOM6No7q8p8NnIgK5nVwfLfsVb9dZ16kVR MQ+vqyhN8cSfzq/by17iXTHCXHTbAY/+Ib2QZLtspES9rbMgB2pBCFuus7hTAo9r Hc/tRC9pNmy5yLHKSthM =jBYB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
