[Fail2ban-users] recidive jail set, but IP still gets in

Wed, 01 Jul 2020 05:51:54 -0700 

Dear list,
Here is my problem : I have configured a recidive jail, taken from jail.conf and copied to jail.local (debian-style layout). The logs show that when recidive try to ban the IP, it finds it is already banned by another rule with shorter bantime / findtime. Take this IP for example : 

------------------------------------------------------------------------

root@messagerie[10.10.10.19] ~ # grep 212.70.149.82 /var/log/fail2ban.log
2020-06-29 10:08:44,356 fail2ban.actions[4957]: WARNING [postfix-sasl-long] 
Unban 212.70.149.82
2020-06-29 10:10:54,089 fail2ban.actions[40928]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 10:10:54,134 fail2ban.actions[40928]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 10:11:22,129 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 10:21:22,841 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 10:23:40,013 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 10:33:40,727 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 10:35:53,911 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 10:45:54,622 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 10:48:06,804 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 10:48:07,523 fail2ban.actions[42541]: WARNING [recidive] Ban 
212.70.149.82
2020-06-29 10:58:07,514 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 11:00:19,690 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 11:10:20,371 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 11:12:31,540 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 11:22:32,242 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 11:24:47,427 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 11:34:48,138 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 11:37:04,323 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 11:47:05,035 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 11:49:16,219 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 11:49:16,878 fail2ban.actions[42541]: INFO    [recidive] 
212.70.149.82 already banned
2020-06-29 11:59:16,920 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 12:01:30,104 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 12:11:30,811 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 12:13:43,994 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 12:23:44,702 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 12:25:57,885 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 12:35:58,639 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 12:38:12,823 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 12:48:13,572 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 12:50:27,754 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 12:50:27,941 fail2ban.actions[42541]: INFO    [recidive] 
212.70.149.82 already banned
2020-06-29 13:00:28,459 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 13:02:38,642 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 13:12:39,342 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 13:14:50,512 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 13:24:51,224 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 13:27:03,406 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 13:37:04,105 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 13:39:16,277 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 13:49:16,982 fail2ban.actions[42541]: WARNING [postfix-sasl] Unban 
212.70.149.82
2020-06-29 13:51:31,169 fail2ban.actions[42541]: WARNING [postfix-sasl] Ban 
212.70.149.82
2020-06-29 13:51:32,006 fail2ban.actions[42541]: INFO    [recidive] 
212.70.149.82 already banned

------------------------------------------------------------------------

How do I do to solve this general problem ?

Here's the config for the recivide jail :

------------------------------------------------------------------------

root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep recidive
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'recidive', 'auto']
['set', 'recidive', 'usedns', 'warn']
['set', 'recidive', 'addlogpath', '/var/log/fail2ban.log']
['set', 'recidive', 'maxretry', 5]
['set', 'recidive', 'addignoreip', '127.0.0.1/8']
['set', 'recidive', 'addignoreip', '10.10.10.0/24']
['set', 'recidive', 'addignoreip', '172.16.0.0/16']
['set', 'recidive', 'addignoreip', '192.168.0.0/16']
['set', 'recidive', 'addignoreip', '197.201.1.66']
['set', 'recidive', 'ignorecommand', '']
['set', 'recidive', 'findtime', 86400]
['set', 'recidive', 'bantime', 604800]
['set', 'recidive', 'addfailregex', '[..too long..]']
['set', 'recidive', 'addaction', 'shorewall']
['set', 'recidive', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'recidive', 'actionstop', 'shorewall', '']
['set', 'recidive', 'actionstart', 'shorewall', '']
['set', 'recidive', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'recidive', 'actioncheck', 'shorewall', '']
['set', 'recidive', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['set', 'recidive', 'addaction', 'sendmail-whois-lines']
['set', 'recidive', 'actionban', 'sendmail-whois-lines', '[..too long..]]
['set', 'recidive', 'actionstop', 'sendmail-whois-lines', '[..too long..]]
['set', 'recidive', 'actionstart', 'sendmail-whois-lines', '[..too long..]]
['set', 'recidive', 'actionunban', 'sendmail-whois-lines', '']
['set', 'recidive', 'actioncheck', 'sendmail-whois-lines', '']
['set', 'recidive', 'setcinfo', 'sendmail-whois-lines', 'dest', 
'[email protected]']
['set', 'recidive', 'setcinfo', 'sendmail-whois-lines', 'sendername', 
'Fail2Ban']
['set', 'recidive', 'setcinfo', 'sendmail-whois-lines', 'logpath', 
'/var/log/fail2ban.log']
['set', 'recidive', 'setcinfo', 'sendmail-whois-lines', 'name', 'recidive']
['set', 'recidive', 'setcinfo', 'sendmail-whois-lines', 'sender', 
'[email protected]']
['start', 'recidive']
root@messagerie[10.10.10.19] ~ #

------------------------------------------------------------------------


And here's for postfix-sasl that seems to be preventing the recidive 
jail from doing its job (or is it ?)



------------------------------------------------------------------------
root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix-sasl
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 5]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl', 'addignoreip', '197.201.1.66']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 120]
['set', 'postfix-sasl', 'bantime', 600]

['set', 'postfix-sasl', 'addfailregex', 
'^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] 
)?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID 
\\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ 
A-Za-z0-9+/:]*={0,2})?\\s*$']

['set', 'postfix-sasl', 'addaction', 'shorewall']

['set', 'postfix-sasl', 'actionban', 'shorewall', 'shorewall <blocktype> 
<ip>']

['set', 'postfix-sasl', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['start', 'postfix-sasl']
root@messagerie[10.10.10.19] ~ #
------------------------------------------------------------------------


Yassine


_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to