Hi,
I have been trying to set up fail2ban. I have only edited for the SSH jail
to warn me in case of failed login. Other jails/actions/filters are at
default. Then I tried from another machine a failed login (6 times with
wrong password). I have got the mail with whois info. So this is what I was
expecting. Then I have waited for the ban to expire (10 mins) and retried
to failed login. I did not get any mail this time. In logs, it was
mentioned, that a ban was issued for the client IP address. Interestingly,
by using another IP address (through VPN) I could get again an e-mail
warning for the first time but not second time. It seems to me fail2ban
sends e-mail warning only once per IP-address. Moreover, I changed log
level to 4 (DEBUG) and ran fail2ban-client reload. Then I tried a failed
login with the old (once banned) IP address. It did not send any mail but I
found this in the logs:
2016-01-17 12:32:08,961 fail2ban.actions.action[21573]: DEBUG printf %b
"Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: [email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about 192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban [email protected]
2016-01-17 12:32:09,491 fail2ban.actions.action[21573]: DEBUG printf %b
"Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: [email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about 192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban [email protected] returned
successfully
I am not sure, if the issue is because of my GMail account blocking the
mails or is it a feature in Fail2Ban to prevent e-mail flood?
Best wishes!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
