On Friday 26 April 2019 14:54:43 Pete Biggs wrote:
>
> >
> > I did wonder that myself. I have now amended to Dovecot definition in
> > jail.conf to:
> >
> > [dovecot]
> >
> > port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
> > logpath = %(dovecot_log)s
> > backend = %(dovecot_backend)s
> >
> > I then unbanned and banned each IP address manually with
>
> Did you reload the configuration? ("fail2ban-client reload")
>
> What action are you using - you mention ipset, are you using iptables-
> ipset-proto4? I don't know anything about ipset, but can you see what
> ports are being blocked in the fail2ban-dovecot set (just to make sure
> it is doing the correct thing).
>
> If you manually add an IP address to the *exim* jail, does it get
> blocked?
I saved all config files and restarted the fail2ban service. I even rebooted
the box. My jail.conf definition for exim is now:
[exim]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(exim_main_log)s
I have also added a REGEX into /etc/fail2ban/filter.d/exim.conf
^%(pid)s.* \[<HOST>\] rejected EHLO or HELO
to match entries like:
2019-04-26 15:44:13 H=(User) [102.165.49.64] rejected EHLO or HELO user: Your
server with the IP 102.165.49.64 is with helo name (User) configured
incorrectly. Email has been blocked. (HELO Error)
The HELO message seem to have stopped appearing in the logs, so it looks like
that is working. However, the original Dovecot authentication errors are still
appearing in exim/main.log
[root@ollie2 ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 2
| |- Total failed: 180
| `- Journal matches: _SYSTEMD_UNIT=dovecot.service
`- Actions
|- Currently banned: 41
|- Total banned: 41
`- Banned IP list: 106.226.231.159 113.120.142.149 113.120.143.41
114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228
117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62
121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88
141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56
185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165
188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124
27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99
46.232.112.21 49.87.109.233 52.38.234.254
[root@ollie2 ~]# fail2ban-client status exim
Status for the jail: exim
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 4
|- Total banned: 4
`- Banned IP list: 103.114.104.149 185.222.209.71 185.234.217.160
85.222.209.56
[root@ollie2 ~]# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 120
References: 0
Number of entries: 0
Members:
Name: fail2ban-dovecot
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 3864
References: 0
Number of entries: 41
Members:
185.222.209.56 timeout 4291085
185.234.217.162 timeout 4291086
114.106.134.228 timeout 4291075
45.227.253.100 timeout 4291094
188.165.238.157 timeout 4291088
203.2.118.130 timeout 4291088
140.224.60.165 timeout 4291082
141.98.80.32 timeout 4291083
183.135.168.89 timeout 4291084
27.156.176.146 timeout 4291092
46.232.112.21 timeout 4291096
113.120.143.41 timeout 4291074
113.120.142.149 timeout 4291073
117.29.90.228 timeout 4291077
185.222.209.71 timeout 4291085
185.234.217.221 timeout 4291087
117.31.46.4 timeout 4291078
49.87.109.233 timeout 4291097
41.164.192.74 timeout 4291092
121.237.56.154 timeout 4291080
14.29.161.224 timeout 4291081
117.24.39.199 timeout 4291077
120.43.54.45 timeout 4291079
185.36.81.165 timeout 4291087
140.224.61.88 timeout 4291083
210.6.94.23 timeout 4291090
114.238.30.180 timeout 4291076
116.91.166.50 timeout 4291076
106.226.231.159 timeout 4291067
27.156.139.95 timeout 4291091
52.38.234.254 timeout 4291098
122.7.227.53 timeout 4291081
117.60.247.84 timeout 4291078
209.166.164.71 timeout 4291089
185.211.245.198 timeout 4291085
180.146.128.112 timeout 4291084
185.234.217.160 timeout 4291086
211.72.92.124 timeout 4291090
121.233.206.62 timeout 4291080
45.227.253.99 timeout 4291095
119.127.17.82 timeout 4291079
Name: fail2ban-exim
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 504
References: 0
Number of entries: 4
Members:
185.234.217.160 timeout 4291074
185.222.209.71 timeout 4291073
85.222.209.56 timeout 4291075
103.114.104.149 timeout 4291067
[root@ollie2 ~]#
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
