Hi Martin,

Instead of applying your patch i just downloaded the latest snapshop, which
already has that patch and the behavior is exactly the same: the regex gets
the hit but it never blocks the IP.

[delsio@ns fail2ban-0.8.4-SVN]# tail -f /var/log/fail2ban.log
2011-05-06 14:07:43,587 fail2ban.actions: INFO   Set banTime = 60000
2011-05-06 14:07:43,597 fail2ban.jail   : INFO   Jail 'qmail' started
2011-05-06 14:07:43,602 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2011-05-06 14:07:43,607 fail2ban.jail   : INFO   Jail 'password-fail'
2011-05-06 14:07:43,616 fail2ban.jail   : INFO   Jail 'username-notfound'
2011-05-06 14:07:43,629 fail2ban.jail   : INFO   Jail 'qmail-smtp' started
2011-05-06 14:07:43,627 fail2ban.actions.action: ERROR  iptables -N
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 200
2011-05-06 14:07:43,653 fail2ban.jail   : INFO   Jail 'named-refused-tcp'
2011-05-06 14:08:05,672 fail2ban.actions: WARNING [named-refused-tcp] Ban
2011-05-06 14:08:05,682 fail2ban.actions: WARNING [named-refused-tcp] Ban
2011-05-06 14:08:05,693 fail2ban.actions: WARNING [named-refused-tcp] Ban

[delsio@ns etc]# fail2ban-client status qmail-smtp
Status for the jail: qmail-smtp
|- filter
|  |- File list:        /var/log/qmail/smtp/current
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

Any other recommendation?

2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it>

> OK, it definitely is the patch I sent - fail2ban fails to recognize the
> local time zone you use. This causes times to never fall into the specified
> period you use for checking if the attempt occurs multiple times.
> Once you replace
> date = list(time.gmtime(int(seconds_since_epoch, 16)))
> with
> date = list(time.localtime(int(seconds_since_epoch, 16)))
> in /usr/share/fail2ban/server/datetemplate.py (near end of file), all
> should be fine.
> Martin
> --
> Martin Waschbüsch
> IT-Dienstleistungen
> Lautensackstr. 16
> 80687 München
> Telefon: +49 89 57005708
> Fax: +49 89 57868023
> Mobil: +49 170 2189794
> serv...@waschbuesch.it
> http://www.waschbuesch.it
> Am 06.05.2011 um 10:17 schrieb Délsio Cabá:
> > Hi,
> >
> > Same behavior, it does get some hits, but it doesn't ban. Other fail2ban
> filters are working except the one from qmail.
> >
> > fail2ban-regex /var/log/qmail/smtp/current
> /etc/fail2ban/filter.d/qmail-smtp.conf
> >
> > Date template hits:
> > 0 hit(s): MONTH Day Hour:Minute:Second
> > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> > 0 hit(s): Year/Month/Day Hour:Minute:Second
> > 0 hit(s): Day/Month/Year Hour:Minute:Second
> > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> > 0 hit(s): Month/Day/Year:Hour:Minute:Second
> > 0 hit(s): Year-Month-Day Hour:Minute:Second
> > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> > 0 hit(s): Day-Month-Year Hour:Minute:Second
> > 6347 hit(s): TAI64N
> > 0 hit(s): Epoch
> > 0 hit(s): ISO 8601
> > 0 hit(s): Hour:Minute:Second
> > 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
> >
> > Success, the total number of match is 168
> >
> >
> > [delsio@ns ~]# fail2ban-client status qmail-smtp
> > Status for the jail: qmail-smtp
> > |- filter
> > |  |- File list:        /var/log/qmail/smtp/current
> > |  |- Currently failed: 0
> > |  `- Total failed:     0
> > `- action
> >    |- Currently banned: 0
> >    |  `- IP list:
> >    `- Total banned:     0
> >
> >
> > 2011/5/6 Toma Bogdan <tbog...@direkt.ro>
> > On 5/6/2011 9:10 AM, Délsio Cabá wrote:
> >> Hi all
> >>
> >> I am getting a lot of DDOS on smtp connection logs:
> >>
> >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from
> <r...@mydomain.com::> remote <demagnify:unknown:> rcpt <> :
> sender accepted
> >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from
> <r...@mydomain.com::> remote <demagnify:unknown:> rcpt <
> m...@zicel.ru> : invalid rcpt MX domain
> >> ..
> >> @400000004dc3905511aba4bc CHKUSER accepted sender: from
> <r...@ns.mozdesigners.com::> remote <byte:unknown:> rcpt <>
> : sender accepted
> >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from
> <r...@ns.mozdesigners.com::> remote <byte:unknown:> rcpt <
> mad...@usc.es> : client not allowed to relay
> >>
> >> I need to block this using fail2ban but the regex is quite complex. I
> have tried this:
> >> "<HOST>\> rcpt \S+ : client not allowed to relay$"
> >>
> >> But it doesn't seam to be working as expected:
> >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client
> not allowed to relay"
> >> ...
> >> Date template hits:
> >> 0 hit(s): MONTH Day Hour:Minute:Second
> >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> >> 0 hit(s): Year/Month/Day Hour:Minute:Second
> >> 0 hit(s): Day/Month/Year Hour:Minute:Second
> >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> >> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> >> 0 hit(s): Year-Month-Day Hour:Minute:Second
> >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> >> 0 hit(s): Day-Month-Year Hour:Minute:Second
> >> 1184 hit(s): TAI64N
> >> 0 hit(s): Epoch
> >> 0 hit(s): ISO 8601
> >> 0 hit(s): Hour:Minute:Second
> >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
> >>
> >> Any help would be very appreciated
> >> Thanks!
> > try this
> > failregex = CHKUSER .* <\w*:\w*:<HOST>> .* : client not allowed to relay$
> >
> > check it with :
> > fail2ban-regex /var/log/qmail/smtp/current
> /etc/fail2ban/filters/qmail-smtp-filter.conf
> >
> >
> > --
> > T. Bogdan
> > Network/Systems Security
> >
> > www.direkt.ro
> >
> >
> >
> >
> ---------------------------------------------------------------------------------
> Qmailtoaster is sponsored by Vickers Consulting Group (
> www.vickersconsulting.com)
>    Vickers Consulting Group offers Qmailtoaster support and installations.
>      If you need professional help with your setup, contact them today!
> ---------------------------------------------------------------------------------
>     Please visit qmailtoaster.com for the latest news, updates, and
> packages.
>      To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>     For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com

Reply via email to