Well, I've figured out the problem -- it's a bug in fail2ban's systemd backend. Specifically, when a matching logline is created after the offending connection has already closed, f2b fails to respond when using the systemd backend. If the logline is created while the connection is still open, f2b responds properly. Switching the backend to "polling" restores the expected (correct) functionality.
The discovery moment came after noticing that sendmail-reject (a stock filter) ALSO failed to respond to some pre-greeting rejections. After a bunch of testing, it turns out that if the client issues the "quit" command before the pre-greeting rejection is logged, f2b will not respond when using systemd. Non-quit pre-greeting commands (e.g., helo) that keep the connection open will result in f2b responding properly... but a 'quit' will cause no response. For now, I've switched over to the polling backend instead of systemd, and all is working as it should. I've filed an official bug report: https://github.com/fail2ban/fail2ban/issues/2385 This is a potential DoS vector so anyone using sendmail and the systemd backend should take note and switch to polling until this is resolved in the code. Cheers! --- Amir > On Mar 27, 2019, at 4:31 PM, Amir Caspi <[email protected]> wrote: > > On Mar 27, 2019, at 2:24 PM, Iosif Fettich <[email protected] > <mailto:[email protected]>> wrote: >> I saw in the original mail you had findtime = 600. Is it possible that you >> simply have no new hits, whereas the existing ones are already obsoleted? > > Thanks for the thought, but no. I watched hits come into the log in real > time with no corresponding response by fail2ban (by which I mean fail2ban > didn't even log a match on the rule, like it does with every other rule). I > also telnetted into port 25 to cause those hits myself, and again, no > response. > >> Try to go for a debugging strategy. Make failregexp a simple letter or word >> (ok, risking to ban everything for a minute...). If that doesn't catch >> anything, you'd know for sure that it's not the regexp that doesn't work. > > Just to reiterate, all of my other sendmail filters -- including custom > filters -- work just fine. And fail2ban-regex matches properly using this > filter. I'm not sure how it can be the regexp, if fail2ban-regex matches > every line it's supposed to match. > > If fail2ban-server uses different regexp match code than fail2ban-regex, then > that may explain why fail2ban-regex works while fail2ban-server doesn't... > but then that would be a bug. But fail2ban-regex is matching everything it's > supposed to, even while fail2ban-server does not. > > How can I debug that? > >> Change the logfile. See if fail2ban choses the right one. > > All my other sendmail filters use the same logfile, and they're working fine, > as above. > > Thanks. > > --- Amir >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
