[CentOS] Does devtmps and tmpfs use underlying hard disk storage or Physical Memory (RAM)
Hi, I am running the below command on CentOS Linux release 7.6.1810 (Core) # df -hT --total Filesystem Type Size Used Avail Use% Mounted on /dev/xvda1 xfs 150G 8.0G 143G 6% / devtmpfs devtmpfs 7.8G 0 7.8G 0% /dev tmpfs tmpfs 7.8G 0 7.8G 0% /dev/shm tmpfs tmpfs 7.8G 817M 7.0G 11% /run tmpfs tmpfs 7.8G 0 7.8G 0% /sys/fs/cgroup tmpfs tmpfs 1.6G 0 1.6G 0% /run/user/995 tmpfs tmpfs 1.6G 0 1.6G 0% /run/user/1000 total - 185G 8.8G 176G 5% - # Does devtmpfs and tmpfs use underlying hard disk storage or does it uses Physical Memory (RAM). What is the purpose of devtmpfs which is mounted on /dev, tmpfs mounted on /dev/shm and so on and so forth. What is the difference between devtmpfs and tmpfs? I will appreciate if anyone can help me understand the above output. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
> > The event that triggers the ban does complete as normal, which is what I > would > expect as the ban is triggered by the log entry which is *after* the failed > attempt. > > However, after the /var/log/fail2ban.log showed the IP as banned, I continue > to see entries in /var/log/exim/main.log What ban action do you use? If it's something like iptables-multiport, then I wonder if the fact that it's detecting the failures as '[dovecot]' means that it's using the dovecot ports, not the exim ports, when applying the iptable rule. When a host has been banned, can you look at the iptables rules to see what is actually being applied. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On 4/19/2019 5:30 AM, Gary Stainburn wrote: I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine. Which page? It would help to see what they advised. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
I find csf/lfd much easier to configure and can be used in combination with fail2ban. Gary Stainburn wrote: >I've followed one of the pages on line specifically for installing fail2ban on >Centos 7 and all looks fine. > >I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on >another page: > > \[\]: 535 Incorrect authentication data > >which appears to be successfully matchnig lines in /var/log/exim/mail.log such >as > >2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) >[185.222.209.71]: 535 Incorrect authentication data > >/var/log/fail2ban.log, and the generarted emails all say that the regex is >working and the IP addresses are getting banned. > >2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] >Found 45.227.253.99 >2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban >45.227.253.99 >2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] >Found 45.227.253.99 >2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] >Found 185.222.209.71 >2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] >Unban 185.211.245.198 >2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] >Unban 185.234.217.221 >2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] >Found 141.98.80.32 >2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] >Found 185.234.217.162 >2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban >185.234.217.162 >2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] >Found 141.98.80.32 >2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] >Found 185.234.217.221 >2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban >185.211.245.198 >2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 > > > >However, once an IP address is banned, it continues to appear >in /var/log/exim/main.log which would imply that the ban action is not >working. > >(Also, I don't understand why it's matching against dovecont ewhen the regex >is in exim.conf) > >I've found lots of pages relating to regex errors which this obviously isn't >but I can't seem to find pages about why the ban doesn't work. Does anyone >have any ideas? >___ >CentOS mailing list >CentOS@centos.org >https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Friday 19 April 2019 15:19:26 Pete Biggs wrote: > > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested > > on another page: > > The standard exim.conf already has a 535 filter. Was that not working > for you? I was following the instructions as shown on the page. I did find after sending my post that there was already a regex in the standard file, so should be able to remove the one I added. However, the regex part doesn't seem to be the problem as the actions are being correctly triggered. > >\[\]: 535 Incorrect authentication data > > > > which appears to be successfully matchnig lines in /var/log/exim/mail.log > > such as > > > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for > > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data > > Just to check - you are authenticating against dovecot for SMTP within > exim (and it's not that dovecot authentication is getting mixed up with > the exim logs)? This is correct. I am using Dovecot to authenticate the SMTP users. The errors are being logged in /var/log/exim/main.log and not in /var/log/dovecot.log or /var/log/maillog > > > /var/log/fail2ban.log, and the generarted emails all say that the regex > > is working and the IP addresses are getting banned. > > > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 45.227.253.99 > > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.222.209.71 > > 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE > > [dovecot] Unban 185.211.245.198 > > 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE > > [dovecot] Unban 185.234.217.221 > > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.162 > > 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 185.234.217.162 > > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.221 > > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 185.211.245.198 > > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > It would be much, much easier to read if you didn't wrap the log lines > - I've unwrapped them for you: (I didn't wrap them, my mail client did. Sorry) > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 > fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] > Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions > [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 > fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: > INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 > fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: > INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 > fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 > fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > > in /var/log/exim/main.log which would imply that the ban action is not > > working. > > Only for one more attempt - I presume your ban action is to modify the > firewall, but the firewall doesn't stop established connections, so as > long as the remote host has an open TCP connection it can continue to > attempt to login. If your authenticator drops the connection after 3 > attempts and Fail2Ban blocks after 2 failed attempts you wil
Re: [CentOS] faI2ban detecting and banning but nothing happens
> I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on > another page: The standard exim.conf already has a 535 filter. Was that not working for you? > >\[\]: 535 Incorrect authentication data > > which appears to be successfully matchnig lines in /var/log/exim/mail.log > such > as > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) > [185.222.209.71]: 535 Incorrect authentication data Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)? > > /var/log/fail2ban.log, and the generarted emails all say that the regex is > working and the IP addresses are getting banned. > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 45.227.253.99 > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] > Found 185.222.209.71 > 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] > Unban 185.211.245.198 > 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] > Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] > Found 185.234.217.162 > 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] > Found 185.234.217.221 > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 185.211.245.198 > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > It would be much, much easier to read if you didn't wrap the log lines - I've unwrapped them for you: 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > in /var/log/exim/main.log which would imply that the ban action is not > working. Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got. > > (Also, I don't understand why it's matching against dovecont ewhen the regex > is in exim.conf) Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] faI2ban detecting and banning but nothing happens
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine. I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page: \[\]: 535 Incorrect authentication data which appears to be successfully matchnig lines in /var/log/exim/mail.log such as 2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data /var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned. 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working. (Also, I don't understand why it's matching against dovecont ewhen the regex is in exim.conf) I've found lots of pages relating to regex errors which this obviously isn't but I can't seem to find pages about why the ban doesn't work. Does anyone have any ideas? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
