Re: [Fail2ban-users] Not banning on new CentOS 7 install

[Amir Caspi]

Thanks for the replies today -- I'll reply to all of them in one email to save list traffic... please see below for specific responses.  Unfortunately still no luck.  Thanks! --- Amir On Mar 27, 2019, at 1:26 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: Have you considered using a more modern MTA such as postfix? Yes, I am aware and I have considered it, but it is not an option at the moment, for various reasons. On Mar 27, 2019, at 3:37 AM, Bob Brewer <fail2...@grantura.co.uk> wrote: Could there be a permission problem with your filter file ? Thanks for the suggestion but unfortunately that's not it -- all the other filter files have the same permissions and work fine.  This filter file was made by copying sendmail-auth.conf and modifying the failregex appropriately.  As mentioned, the file works absolutely fine using fail2ban-regex, meaning the regex itself is correct... and manually banning also works fine, meaning the jail itself is also set up OK.  So for whatever reason, something is wrong with fail2ban-server working with it autonomously, even though the regex is correct and works, and the jail is also OK. On Mar 27, 2019, at 3:56 AM, Bob Brewer <fail2...@grantura.co.uk> wrote: On Debian I don't have a sendmail-noauth.conf filter but I do have a sendmail-auth.conf filter.  I don't know if this is the same for Centos but it may be worth checking that the filter name is correct. This is a custom filter, not one that is distributed with fail2ban.  The filter name and the jail name are both correct, that was the first thing I tested.  I tried changing the name to something else (making sure jail and filter matched), still no luck. On Mar 27, 2019, at 7:03 AM, Iosif Fettich <ifett...@netsoft.ro> wrote: What if you let aside the _prefix_line for a try and see what's happening with failregex = \[<HOST>\] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA Unfortunately no help.  Also, the exact same prefix line works fine on all my other sendmail filters, and it works fine with fail2ban-regex as well, so that doesn't appear to be it.  I really don't understand why fail2ban-regex finds hundreds of matches, but fail2ban-server doesn't. On Mar 27, 2019, at 8:24 AM, Nick Howitt <n...@howitts.co.uk> wrote: Shouldn't: MAIL\/EXPN\/VRFY\/ETRN read: (MAIL|EXPN|VRFY|ETRN) No, the exact failure line from sendmail has all four separated by slashes ... I provided an example in my original email: Mar 26 02:40:53 servername sm-mta[10953]: x2Q2eiHC010953: mta9.imxonlines.co.za [91.212.150.89] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Sendmail is complaining that the offender did not issue any of those 4 commands prior to disconnect.  (Those commands require authorization to use, hence why they can't be issued when someone fails auth.) Thanks!

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users