Didn't see any response to this, any further ideas here to try?
> On April 13, 2019 at 10:45 AM David Shuman <[email protected]> wrote: > > > Hi Tom, > > Thanks for replying: > > Could you give us a bit more information? > > - version of fail2ban > 0.10.2-2 > > - which mail action are you using? How does it set the subject? I use > Sendmail, in my local jail the default action is: > > # Choose default action. To change, just override value of 'action' with the > # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, > etc) in jail.local > # globally (section [DEFAULT]) or per specific section > action = %(action_mwl)s > > - output of the shell commands 'uname -n' and 'uname -a: > uname -n: trumpfsmurica.com > uname -a: Linux trumpfsmurica.com 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 > 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux > > - output of the shell command 'hostname -f' > hostname -f: trumpfsmurica.com > - the actual hostname you expect to see > trumpfsmurica.com > - the actual hostname you are seeing in the email subjects > srv461.smurfs.today (but only in the sshd ban emails, apache ban actions > emails have the correct hostname) > > Thanks! > > > On April 13, 2019 at 8:14 AM [email protected] > > wrote: > > > > > > Send Fail2ban-users mailing list submissions to > > [email protected] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > or, via email, send a message with subject or body 'help' to > > [email protected] > > > > You can reach the person managing the list at > > [email protected] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Fail2ban-users digest..." > > > > > > Today's Topics: > > > > 1. Odd Fail2ban email alert issue (David Shuman) > > 2. Re: Odd Fail2ban email alert issue (Tom Hendrikx) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 12 Apr 2019 09:33:27 -0400 (EDT) > > From: David Shuman <[email protected]> > > To: [email protected] > > Subject: [Fail2ban-users] Odd Fail2ban email alert issue > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset="utf-8" > > > > Good morning, > > > > > > I'm an amateur with linux and toy around with a VPS for a few years now. > > I've used Fail2ban to help protect it and have for many years. I've never > > had this issue before, but now all my emails sent about blocks have the > > wrong hostname in the subject line. Right now running the latest ubuntu. > > > > > > The issue my domain name is abc.com so before around early March I would > > see an email subject line similar to the below: > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from abc.com > > > > > > *NOW* > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from xyz.com > > > > > > This coincided when I did an apt-get update/upgrade around early March, > > which I believe updated my Fail2Ban as well. I dont believe this changed > > my personalized settings and I checked and dont recall anything out place. > > Ironically enough, this only happens on my SSHD alerts, I just noticed that > > i have recent apache alerts that have the correct domain in the subject > > line. I've searched the entire filesystem for xyz.com and cant find any > > trace of it in anything. I've run linux security scanners to check no > > malware/hack. Just odd. > > > > > > The next strange thing is I opened a ticket with my VPS host and they > > indicated they didn't see anything wrong as my headers were showing the > > correct hostname, and their info showed the correct hostname, but this new > > hostname that started showing up was the *HOSTNAME FROM THE CUSTOMER THAT > > WAS ON THE VPS BEFORE ME* > > > > > > Strange right? > > > > > > Any ideas? > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > > > ------------------------------ > > > > Message: 2 > > Date: Sat, 13 Apr 2019 11:09:34 +0200 > > From: Tom Hendrikx <[email protected]> > > To: [email protected] > > Subject: Re: [Fail2ban-users] Odd Fail2ban email alert issue > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=utf-8; format=flowed > > > > On 12-04-19 15:33, David Shuman wrote: > > > Good morning, > > > > > > > > > I'm an amateur with linux and toy around with a VPS for a few years > > > now.? I've used Fail2ban to help protect it and have for many years. > > > I've never had this issue before, but now all my emails sent about > > > blocks have the wrong hostname in the subject line.? Right now running > > > the latest ubuntu. > > > > > > > > > The issue my domain name is abc.com so before around early March I would > > > see an email subject line similar to the below: > > > > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from abc.com > > > > > > > > > *NOW* > > > > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from *xyz.com* > > > > > > > > > This coincided when I did an apt-get update/upgrade around early March, > > > which I believe updated my Fail2Ban as well.? I dont believe this > > > changed my personalized settings and I checked and dont recall anything > > > out place.? Ironically enough, this only happens on my SSHD alerts, I > > > just noticed that i have recent apache alerts that have the correct > > > domain in the subject line.? I've searched the entire filesystem for > > > xyz.com and cant find any trace of it in anything.? I've run linux > > > security scanners to check no malware/hack.? Just odd. > > > > > > > > > The next strange thing is I opened a ticket with my VPS host and they > > > indicated they didn't see anything wrong as my headers were showing the > > > correct hostname, and their info showed the correct hostname, but this > > > new hostname that started showing up was the *HOSTNAME FROM THE CUSTOMER > > > THAT WAS ON THE VPS BEFORE ME* > > > > > > > On my ubuntu 16.04 using fail2ban 0.9.3 from default packages, both the > > "mail-*" and "sendmail-*" actions use the value of 'uname -n' in the > > subject. It's hard to debug this without some more details. > > > > Could you give us a bit more information? > > > > - version of fail2ban > > - which mail action are you using? How does it set the subject? > > - output of the shell commands 'uname -n' and 'uname -a' > > - output of the shell command 'hostname -f' > > - the actual hostname you expect to see > > - the actual hostname you are seeing in the email subjects > > > > Kind regards, > > Tom > > > > > > > > > > ------------------------------ > > > > > > > > ------------------------------ > > > > Subject: Digest Footer > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > ------------------------------ > > > > End of Fail2ban-users Digest, Vol 149, Issue 5 > > ********************************************** _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
