Re: [Fail2ban-users] fail2ban not actually banning IP addresses

Paul Dillon Tue, 08 Sep 2015 11:19:22 -0700

John,


Thanks for your reply. I guess fail2ban is working correctly. When I
researched the issue further, I see that (in some instances)  there is a
subsequent entry after the ban in the postfix logs. However, I haven't seen
any banned-IPs having more than one entry after the ban notice.

 

I'm not sure why there would be an extra entry in the logs if the IP is
blocked at the firewall but it's not a problem.

 

Here's an example.

 

>From /var/log/messages

Sep  8 10:26:33 mail fail2ban.actions[2834]: NOTICE [postfix] Ban
xxx.66.110.xx

 

>From /var/log/maillog

Sep  8 10:31:34 mail postfix/smtpd[27076]: timeout after DATA from
unknown[xxx.66.110.xx]

Sep  8 10:31:34 mail postfix/smtpd[27076]: disconnect from
unknown[xxx.66.110.xx]

 

From: John Fawcett [mailto:[email protected]] 
Sent: Sunday, September 6, 2015 12:55 PM
To: [email protected]
Subject: Re: [Fail2ban-users] fail2ban not actually banning IP addresses

 

Paul

the tables look ok.

can you give an example of what is being logged and how long it happens
after the ban?

best regards,
John

On 09/06/2015 09:16 PM, Paul Dillon wrote:

Hi,

 

This is probably a simple error on my part but I can't get fail2ban to block
IP addresses listed in iptables.

 

CentOS release 6.7 (Final)

Fail2ban 0.9.2-1.el6

 

I have edited jail.local (only enabling postfix, dovecot and postfix-sasl
and changing ban time to 3600). Fail2ban is detecting offenders and editing
iptables. However, during the ban period, the offending IP addresses are
still showing up in /var/log/maillog.

 

Prior to installing fail2ban, I had configured the firewall with the
terminal use interface (launched by typing "setup" at the command line). The
ACCEPT entries for ports 80 thru 587 came from the TUI. My knowledge of
iptables is limited but I have learned to add blocking entries above the TUI
ACCEPT entries for them to work.

 

So perhaps the fail2ban REJECY entries should be above the ACCEPT entries or
maybe fail2ban isn't restarting the network.

 

If have tried removing the ACCEPT entries for 25 993 995 110 143 587 by
stopping fail2ban, saving iptables restarting the network then restarting
fail2ban but 25 993 995 110 143 587 are then all blocked by the firewall. 

 

What have I done wrong?

 

Regards,

 

-paul

 

[root@mail ~]# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

f2b-postfix-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0
multiport dports 25,465,587,220,993,110,995 

f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport
dports 110,995,143,993,587,465,4190 

f2b-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport
dports 25,465,587 

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:80 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:443 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:25 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:53 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
dpt:53 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:993 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:995 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:xxxxx (my ssh port) 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:110 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:143 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:587 

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited 

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited 

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

 

Chain f2b-dovecot (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

 

Chain f2b-postfix (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

 

Chain f2b-postfix-sasl (1 references)

target     prot opt source               destination         

REJECT     all  --  xxx.xxx.xx.125        0.0.0.0/0           reject-with
icmp-port-unreachable 

REJECT     all  --  xx.xx.xxx.60         0.0.0.0/0           reject-with
icmp-port-unreachable 

REJECT     all  --  xxx.xx.xx.234        0.0.0.0/0           reject-with
icmp-port-unreachable 

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

 






----------------------------------------------------------------------------
--






_______________________________________________
Fail2ban-users mailing list
[email protected]
<mailto:[email protected]> 
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban not actually banning IP addresses

Reply via email to