Re: [CentOS] faI2ban detecting and banning but nothing happens
On Monday 29 April 2019 17:21:54 Gordon Messmer wrote: > On 4/29/19 1:44 AM, Gary Stainburn wrote: > > and the lines are still appearing. Here is my jail.local. (I did also try > > directly editing jail.conf to update the port commands). > > > > > > [exim] > > port= 0:65535 > > > If that's all that's in jail.local, then the jail shouldn't be enabled. > They're off by default. I'd suggest that you remove fail2ban > completely. Remove the packages, and then delete /etc/fail2ban, and > start again. > > When you're done, look at the output of "iptables -n -L INPUT_direct": > > # iptables -n -L INPUT_direct > Chain INPUT_direct (1 references) > target prot opt source destination > REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set > fail2ban-sshd src reject-with icmp-port-unreachable > My jail.conf contains the following. What I included above was jail.local [dovecot] port= pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s [exim] port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(exim_main_log)s I was also coming to the conclusion that it was time to start again. I'll let you know how I get on Gary ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On 4/29/19 1:44 AM, Gary Stainburn wrote: and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands). [exim] port= 0:65535 If that's all that's in jail.local, then the jail shouldn't be enabled. They're off by default. I'd suggest that you remove fail2ban completely. Remove the packages, and then delete /etc/fail2ban, and start again. When you're done, look at the output of "iptables -n -L INPUT_direct": # iptables -n -L INPUT_direct Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set fail2ban-sshd src reject-with icmp-port-unreachable ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Monday 29 April 2019 02:21:05 Gordon Messmer wrote: > That's one approach. I believe that you could modify fewer files by > setting "port = 0:65535" in your definition in "jail.local" and not > install firewallcmd-ipset.local. I have just tried this, and re-started fail2ban. It does not seem to have worked. I have looked at /var/log/exim/main.log and found lots of lines like 2019-04-29 09:39:15 dovecot_plain authenticator failed for (hosting-by.directwebhost.org.) [45.227.253.100]: 535 Incorrect authentication data which are still not being stopped. I have run the commands [root@ollie2 ~]# fail2ban-client set exim banip 45.227.253.100 45.227.253.100 [root@ollie2 ~]# fail2ban-client set exim banip 46.232.112.21 46.232.112.21 [root@ollie2 ~]# and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands). [DEFAULT] # set a higher bantime and findtime bantime=360 findtime=1200 # set the IP's to ignore / not ban ignoreip = 127.0.0.1/8 10.0.0.0/8 # set max number of attempts maxretry = 3 # set mail receiver destemail = fail2...@ringways.co.uk sender = fail2...@ringways.co.uk # enable sending mails, whois and logfile sections by choosing the "action_mwl" template, # see jail.conf for details action = %(action_mwl)s [exim] port= 0:65535 [dovecot] port= 0:65535 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On 4/26/19 3:50 AM, Gary Stainburn wrote: I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed. This is my process for fail2ban: 1: "yum install fail2ban" This installs fail2ban and fail2ban-firewalld. 2: install /etc/fail2ban/jail.local. This file enables the matching rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures. [sshd] enabled = true maxretry = 10 3: install /etc/fail2ban/action.d/firewallcmd-ipset.local. This file overrides the default action defined in /etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in /etc/fail2ban/jail.d/00-firewalld.conf. The new definition blocks the source address from *all* TCP ports rather than just the ports defined for the jail (in /etc/fail2ban/jail.conf). You might also choose to remove the "-p " spec to block all access instead of just TCP access. [Definition] actionstart = ipset create fail2ban- hash:ip timeout firewall-cmd --direct --add-rule ipv4 filter 0 -p -m set --match-set fail2ban- src -j actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p -m set --match-set fail2ban- src -j ipset flush fail2ban- ipset destroy fail2ban- 4: systemctl enable fail2ban That's one approach. I believe that you could modify fewer files by setting "port = 0:65535" in your definition in "jail.local" and not install firewallcmd-ipset.local. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
På Sun, 28 Apr 2019 12:59:59 +0100 Pete Biggs skrev: > > > > > > /var/log/fail2ban.log is showing that it's working: > > > > I have seem similar odd behaviour with f2b with other filters. > > Try to uninstall the package > > fail2ban-systemd > > and stop and start fail2ban again. > > This might change its behavior to the better. > > > > The fail2ban-systemd package configures fail2ban to use systemd > journal for log input. The OP can see that it is detecting the > transgressions, so the input side of things is not the issue. I do not agree. Yes, it is detecting something is bad - but it is the wrong filter, that is doing it, and that should not happen. Yes, both dovecot and exim filters look in some of the same ports; but the filters should know to look into the different logs. However the f2b-systemd 'package' seems to clutter this up. For me, I was trying to setup the recidive filter (for extended banning of ongoing abusers) but it wouldn't ban anything either. Removing the f2b-systemd package fixed it. Do notice, the f2b-systemd package is optional - it is not included with a simple f2b install - but the OP only installed it because of the instructions on that howtoforge website. I've been there, done that, too :-) Thats why I think, he should try to remove it - as it didn't do any harm to my system, when I removed it - but it fixed recidive filtering. It is also interesting to read about the backend in jail.conf Acording to that, backend = auto is default and auto includes 3 choices, where systemd is not even one of them - so installing systemd as default is quite an override, that may not be such a good idea (depending on the filters you choose) Allan. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
> > > > /var/log/fail2ban.log is showing that it's working: > > I have seem similar odd behaviour with f2b with other filters. > Try to uninstall the package > fail2ban-systemd > and stop and start fail2ban again. > This might change its behavior to the better. > The fail2ban-systemd package configures fail2ban to use systemd journal for log input. The OP can see that it is detecting the transgressions, so the input side of things is not the issue. What they appear to be having problems with is the banning process. Personally, I don't use 'firewallcmd-ipset' for banaction, I use 'iptables-multiport'. But the OP needs to look at what exactly is happening to the firewall configuration when an IP is banned. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
På Fri, 26 Apr 2019 11:50:47 +0100 Gary Stainburn skrev: > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > > I've followed one of the pages on line specifically for > > > installing fail2ban on Centos 7 and all looks fine. > > > > Which page? It would help to see what they advised. > > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > > I've followed one of the pages on line specifically for installing > > > fail2ban on Centos 7 and all looks fine. > > > > Which page? It would help to see what they advised. > > I think I worked from two pages. One I believe was > > https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/ > > I can't remember the other one. I have removed all of the manual > amendments so am now basically set up as initially installed. > > /var/log/fail2ban.log is showing that it's working: I have seem similar odd behaviour with f2b with other filters. Try to uninstall the package fail2ban-systemd and stop and start fail2ban again. This might change its behavior to the better. Allan. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Friday 26 April 2019 14:54:43 Pete Biggs wrote:
>
> >
> > I did wonder that myself. I have now amended to Dovecot definition in
> > jail.conf to:
> >
> > [dovecot]
> >
> > port= pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
> > logpath = %(dovecot_log)s
> > backend = %(dovecot_backend)s
> >
> > I then unbanned and banned each IP address manually with
>
> Did you reload the configuration? ("fail2ban-client reload")
>
> What action are you using - you mention ipset, are you using iptables-
> ipset-proto4? I don't know anything about ipset, but can you see what
> ports are being blocked in the fail2ban-dovecot set (just to make sure
> it is doing the correct thing).
>
> If you manually add an IP address to the *exim* jail, does it get
> blocked?
I saved all config files and restarted the fail2ban service. I even rebooted
the box. My jail.conf definition for exim is now:
[exim]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(exim_main_log)s
I have also added a REGEX into /etc/fail2ban/filter.d/exim.conf
^%(pid)s.* \[\] rejected EHLO or HELO
to match entries like:
2019-04-26 15:44:13 H=(User) [102.165.49.64] rejected EHLO or HELO user: Your
server with the IP 102.165.49.64 is with helo name (User) configured
incorrectly. Email has been blocked. (HELO Error)
The HELO message seem to have stopped appearing in the logs, so it looks like
that is working. However, the original Dovecot authentication errors are still
appearing in exim/main.log
[root@ollie2 ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 2
| |- Total failed: 180
| `- Journal matches: _SYSTEMD_UNIT=dovecot.service
`- Actions
|- Currently banned: 41
|- Total banned: 41
`- Banned IP list: 106.226.231.159 113.120.142.149 113.120.143.41
114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228
117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62
121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88
141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56
185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165
188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124
27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99
46.232.112.21 49.87.109.233 52.38.234.254
[root@ollie2 ~]# fail2ban-client status exim
Status for the jail: exim
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 4
|- Total banned: 4
`- Banned IP list: 103.114.104.149 185.222.209.71 185.234.217.160
85.222.209.56
[root@ollie2 ~]# ipset list
Name: fail2ban-sshd
Type: hash:ip
Re: [CentOS] faI2ban detecting and banning but nothing happens
>
> I did wonder that myself. I have now amended to Dovecot definition in
> jail.conf to:
>
> [dovecot]
>
> port= pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
>
> I then unbanned and banned each IP address manually with
Did you reload the configuration? ("fail2ban-client reload")
What action are you using - you mention ipset, are you using iptables-
ipset-proto4? I don't know anything about ipset, but can you see what
ports are being blocked in the fail2ban-dovecot set (just to make sure
it is doing the correct thing).
If you manually add an IP address to the *exim* jail, does it get
blocked?
P.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Saturday 20 April 2019 00:32:43 Pete Biggs wrote: > What ban action do you use? If it's something like iptables-multiport, > then I wonder if the fact that it's detecting the failures as > '[dovecot]' means that it's using the dovecot ports, not the exim > ports, when applying the iptable rule. > > When a host has been banned, can you look at the iptables rules to see > what is actually being applied. Hi Pete, I did wonder that myself. I have now amended to Dovecot definition in jail.conf to: [dovecot] port= pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s I then unbanned and banned each IP address manually with for F in 46.232.112.21 106.226.231.159 [snip] 52.38.234.254 ; do fail2ban-client set dovecot unbanip $F fail2ban-client set dovecot banip $F done which worked. However, having done this, the connections are still getting through to EXIM. [root@ollie2 ~]# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 6 | |- Total failed: 199 | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 41 |- Total banned: 82 `- Banned IP list: 46.232.112.21 106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 49.87.109.233 52.38.234.254 [root@ollie2 ~]# ipset list Name: fail2ban-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 360 Size in memory: 120 References: 0 Number of entries: 0 Members: Name: fail2ban-dovecot Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 360 Size in memory: 3768 References: 0 Number of entries: 41 Members: 185.211.245.198 timeout 4294522 [snip] 45.227.253.99 timeout 4294532 117.60.247.84 timeout 4294514 Name: fail2ban-exim Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 360 Size in memory: 408 References: 0 Number of entries: 3 Members: 185.234.217.160 timeout 4294290 85.222.209.56 timeout 4294291 185.222.209.71 timeout 4294289 [root@ollie2 ~]# ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
> > 2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found > 185.36.81.165 > 2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot] > 185.36.81.165 already banned > 2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found > 45.227.253.100 > 2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found > 45.227.253.100 > > and yet the IP is still getting through to exim: Yes, as I said before Fail2Ban is detecting it as a dovecot failure, so it is probably blocking the dovecot ports, not the exim/smtp ports. The "already banned" is a give away. You can verify that by looking at the blocked iptable ports when a host has been banned. You can either sort out why it's detecting it as dovecot and not exim or you can modify the fail2ban dovecot config in jail.local by adding the smtp port to the list of ports. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > I've followed one of the pages on line specifically for installing fail2ban > > on > > Centos 7 and all looks fine. > > Which page? It would help to see what they advised. > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > I've followed one of the pages on line specifically for installing > > fail2ban on Centos 7 and all looks fine. > > Which page? It would help to see what they advised. I think I worked from two pages. One I believe was https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/ I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed. /var/log/fail2ban.log is showing that it's working: 2019-04-26 11:41:08,850 fail2ban.filter [7853]: INFO [dovecot] Found 155.133.4.195 2019-04-26 11:41:09,651 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:11,397 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:11,909 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:12,873 fail2ban.actions [7853]: NOTICE [dovecot] 185.222.209.56 already banned 2019-04-26 11:41:24,306 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:25,010 fail2ban.filter [7853]: INFO [dovecot] Found 46.232.112.21 2019-04-26 11:41:36,035 fail2ban.filter [7853]: INFO [dovecot] Found 46.232.112.21 2019-04-26 11:41:40,564 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:41:50,779 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:41:50,915 fail2ban.actions [7853]: NOTICE [dovecot] 45.227.253.100 already banned 2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found 185.36.81.165 2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot] 185.36.81.165 already banned 2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 and yet the IP is still getting through to exim: 2019-04-26 11:41:39 dovecot_plain authenticator failed for ([46.232.112.21]) [46.232.112.21]: 535 Incorrect authentication data (set_id=aa26fa5) 2019-04-26 11:41:44 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=*) 2019-04-26 11:41:55 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:43:27 dovecot_login authenticator failed for (88.211.105.31) [185.36.81.165]: 535 Incorrect authentication data (set_id=**) 2019-04-26 11:44:13 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:44:23 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:45:19 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:45:35 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:46:36 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=) 2019-04-26 11:46:37 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
> > The event that triggers the ban does complete as normal, which is what I > would > expect as the ban is triggered by the log entry which is *after* the failed > attempt. > > However, after the /var/log/fail2ban.log showed the IP as banned, I continue > to see entries in /var/log/exim/main.log What ban action do you use? If it's something like iptables-multiport, then I wonder if the fact that it's detecting the failures as '[dovecot]' means that it's using the dovecot ports, not the exim ports, when applying the iptable rule. When a host has been banned, can you look at the iptables rules to see what is actually being applied. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On 4/19/2019 5:30 AM, Gary Stainburn wrote: I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine. Which page? It would help to see what they advised. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
I find csf/lfd much easier to configure and can be used in combination with fail2ban. Gary Stainburn wrote: >I've followed one of the pages on line specifically for installing fail2ban on >Centos 7 and all looks fine. > >I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on >another page: > > \[\]: 535 Incorrect authentication data > >which appears to be successfully matchnig lines in /var/log/exim/mail.log such >as > >2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) >[185.222.209.71]: 535 Incorrect authentication data > >/var/log/fail2ban.log, and the generarted emails all say that the regex is >working and the IP addresses are getting banned. > >2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] >Found 45.227.253.99 >2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban >45.227.253.99 >2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] >Found 45.227.253.99 >2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] >Found 185.222.209.71 >2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] >Unban 185.211.245.198 >2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] >Unban 185.234.217.221 >2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] >Found 141.98.80.32 >2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] >Found 185.234.217.162 >2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban >185.234.217.162 >2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] >Found 141.98.80.32 >2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] >Found 185.234.217.221 >2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban >185.211.245.198 >2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] >Found 185.211.245.198 > > > >However, once an IP address is banned, it continues to appear >in /var/log/exim/main.log which would imply that the ban action is not >working. > >(Also, I don't understand why it's matching against dovecont ewhen the regex >is in exim.conf) > >I've found lots of pages relating to regex errors which this obviously isn't >but I can't seem to find pages about why the ban doesn't work. Does anyone >have any ideas? >___ >CentOS mailing list >CentOS@centos.org >https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] faI2ban detecting and banning but nothing happens
On Friday 19 April 2019 15:19:26 Pete Biggs wrote: > > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested > > on another page: > > The standard exim.conf already has a 535 filter. Was that not working > for you? I was following the instructions as shown on the page. I did find after sending my post that there was already a regex in the standard file, so should be able to remove the one I added. However, the regex part doesn't seem to be the problem as the actions are being correctly triggered. > >\[\]: 535 Incorrect authentication data > > > > which appears to be successfully matchnig lines in /var/log/exim/mail.log > > such as > > > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for > > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data > > Just to check - you are authenticating against dovecot for SMTP within > exim (and it's not that dovecot authentication is getting mixed up with > the exim logs)? This is correct. I am using Dovecot to authenticate the SMTP users. The errors are being logged in /var/log/exim/main.log and not in /var/log/dovecot.log or /var/log/maillog > > > /var/log/fail2ban.log, and the generarted emails all say that the regex > > is working and the IP addresses are getting banned. > > > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 45.227.253.99 > > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.222.209.71 > > 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE > > [dovecot] Unban 185.211.245.198 > > 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE > > [dovecot] Unban 185.234.217.221 > > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.162 > > 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 185.234.217.162 > > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.221 > > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE > > [dovecot] Ban 185.211.245.198 > > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > It would be much, much easier to read if you didn't wrap the log lines > - I've unwrapped them for you: (I didn't wrap them, my mail client did. Sorry) > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 > fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] > Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions > [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 > fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: > INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 > fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: > INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 > fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 > fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > > in /var/log/exim/main.log which would imply that the ban action is not > > working. > > Only for one more attempt - I presume your ban action is to modify the > firewall, but the firewall doesn't stop established connections, so as > long as the remote host has an open TCP connection it can continue to > attempt to login. If your authenticator drops the connection after 3 > attempts and Fail2Ban blocks after 2 failed attempts you
Re: [CentOS] faI2ban detecting and banning but nothing happens
> I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on > another page: The standard exim.conf already has a 535 filter. Was that not working for you? > >\[\]: 535 Incorrect authentication data > > which appears to be successfully matchnig lines in /var/log/exim/mail.log > such > as > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) > [185.222.209.71]: 535 Incorrect authentication data Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)? > > /var/log/fail2ban.log, and the generarted emails all say that the regex is > working and the IP addresses are getting banned. > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 45.227.253.99 > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] > Found 185.222.209.71 > 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] > Unban 185.211.245.198 > 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] > Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] > Found 185.234.217.162 > 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] > Found 185.234.217.221 > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] > Ban > 185.211.245.198 > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] > Found 185.211.245.198 > It would be much, much easier to read if you didn't wrap the log lines - I've unwrapped them for you: 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > in /var/log/exim/main.log which would imply that the ban action is not > working. Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got. > > (Also, I don't understand why it's matching against dovecont ewhen the regex > is in exim.conf) Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] faI2ban detecting and banning but nothing happens
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine. I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page: \[\]: 535 Incorrect authentication data which appears to be successfully matchnig lines in /var/log/exim/mail.log such as 2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data /var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned. 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions[21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO[dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO[dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions[21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO[dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO[dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions[21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO[dovecot] Found 185.211.245.198 However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working. (Also, I don't understand why it's matching against dovecont ewhen the regex is in exim.conf) I've found lots of pages relating to regex errors which this obviously isn't but I can't seem to find pages about why the ban doesn't work. Does anyone have any ideas? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
