Re: [Fail2ban-users] errors unbanning postfix IPs : Failed to execute unban jail 'postfix-auth' action 'iptables-multiport' info

[Sophie Loewenthal]

Think I have this worked out.  non-standard postfix-auth and thet included 
postfix jail enabled that may be checking for the same stuff.  I’ve disabled 
postfix-auth.
The rogue IP had been removed from iptables. Maybe by one or the other.





> On 16 Mar 2018, at 18:32, René Berber  wrote:
> 
> On 3/16/2018 1:37 AM, Sophie Loewenthal wrote:
> 
>> fail2ban.log 2018-03-15 19:12:36,066 fail2ban.actions
>> [12742]: ERROR   Failed to execute unban jail 'postfix-auth' action 
>> 'iptables-multiport' info '{'matches': 'Mar 14 21:01:44 mx10 
>> postfix/smtpd[29359]: ...
> connection after AUTH from unknown[60.163.89.128]', 'failures': 10,
> 'time': 1521140815.757546, 'ip': '60.163.89.128'}': Error unbanning
> 60.163.89.128
>> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR 
>> iptables -w -D INPUT -p tcp -m multiport --dports 
>> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j 
>> f2b-postfix
> ...
>> 2018-03-15 19:13:08,331 fail2ban.actions[13158]: ERROR Failed
>> to stop jail 'postfix-auth' action 'iptables-multiport': Error 
>> stopping action
> That's at least 2 different problems:
> 
> 1.  What appears to be failure to unban an IP address (bantime is up)...
> Strange that the log doesn't show the actual error message, it usually
> does.  I would start by looking at `iptables -nL`, or specifically for
> that address `iptables -nL | grep 60.163.89.128` to see if it is still
> there (in f2b-postfix).
> 
> If it is, then run the command that the log says it failed, the
> `iptables -w -D INPUT -p tcp -m multiport --dports
> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix`.
> But this is a weird command, it doesn't include the IP, so what's it
> for? deleting the jail?  Yes, that's what its doing, from the INPUT
> chain it deletes f2b-postfix (side note: I use f2b-postfix-sasl only, so
> I don't even have this jail, and don't need more than one for postfix).
> 
> 2.  The second problem shown is that f2b could not stop the jail (which
> it tries after too many unban failures).  No idea what's going on there,
> perhaps stop implies delete the jail in iptables, and its all the same
> problem.
> 
>> I had some though; The unbans are for IP addresses detected on March 
>> 14, two days earlier.  However I only enabled the chain last night,
>> so think this strange that it would unban an IP from before it was
>> enabled.
> 
> That's normal, f2b uses 'findtime' to look back in the log.
> -- 
> René Berber
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] errors unbanning postfix IPs : Failed to execute unban jail 'postfix-auth' action 'iptables-multiport' info

[Sophie Loewenthal]

P.S  For reference, the current f2b chain contains :
Chain f2b-postfix (2 references)
target prot opt source   destination 
REJECT all  --  60.163.89.1280.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  199.168.136.102  0.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  190.223.59.180.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  190.128.186.98   0.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  183.148.86.118   0.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  183.148.79.910.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  183.148.74.250.0.0.0/0reject-with 
icmp-port-unreachable
REJECT all  --  125.126.164.34   0.0.0.0/0reject-with 
icmp-port-unreachable
RETURN all  --  0.0.0.0/00.0.0.0/0   
RETURN all  --  0.0.0.0/00.0.0.0/0   


I had some though; The unbans are for IP addresses detected on March 14, two 
days earlier.  However I only enabled the chain last night, so think this 
strange that it would unban an IP from before it was enabled.  




> On 16 Mar 2018, at 08:37, Sophie Loewenthal  wrote:
> 
> Good morning, 
> 
> This is interesting ( for me ).
> 
> I read this in my logs after enabling postfix-auth on Debian 9.2
> 
> 
> fail2ban.log
> 2018-03-15 19:12:36,066 fail2ban.actions[12742]: ERROR   Failed to 
> execute unban jail 'postfix-auth' action 'iptables-multiport' info 
> '{'matches': 'Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection 
> after AUTH from unknown[60.163.89.128]Mar 14 21:01:44 mx10 
> postfix/smtpd[29363]: lost connection after AUTH from 
> unknown[60.163.89.128]Mar 14 21:01:44 mx10 postfix/smtpd[29361]: lost 
> connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10 
> postfix/smtpd[29359]: lost connection after AUTH from 
> unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29363]: lost 
> connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10 
> postfix/smtpd[29361]: lost connection after AUTH from 
> unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29364]: lost 
> connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10 
> postfix/smtpd[29361]: lost connection after AUTH from 
> unknown[60.163.89.128]Mar 14 21:01:46 mx10 postfix/smtpd[29363]: lost 
> connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10 
> postfix/smtpd[29359]: lost connection after AUTH from 
> unknown[60.163.89.128]', 'failures': 10, 'time': 1521140815.757546, 'ip': 
> '60.163.89.128'}': Error unbanning 60.163.89.128
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports 
> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports 
> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports 
> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix
> 2018-03-15 19:13:08,331 fail2ban.actions[13158]: ERROR   Failed to 
> stop jail 'postfix-auth' action 'iptables-multiport': Error stopping action
> 
> 
> An example from /var/log/mail.log:
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection after AUTH from 
> unknown[60.163.89.128]
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: disconnect from 
> unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
> Mar 14 21:01:44 mx10 postfix/smtpd[29359]: connect from unknown[60.163.89.128]
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: lost connection after AUTH from 
> unknown[60.163.89.128]
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: disconnect from 
> unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
> Mar 14 21:01:45 mx10 postfix/smtpd[29359]: connect from unknown[60.163.89.128]
> Mar 14 21:01:46 mx10 postfix/smtpd[29359]: lost connection after AUTH from 
> unknown[60.163.89.128]
> Mar 14 21:01:46 mx10 postfix/smtpd[29359]: disconnect from 
> unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2
> 
> 
> fail2ban version 0.9.6-2
> 
> 
> jail.local:
> [postfix]
> enabled  = true
> logpath  = /var/log/mail.log
> # mail.log because I don’t log to mail.warn. Everything in one file to see 
> all the problems in one place.
> 
> jail.conf
> [postfix]
> port = smtp,465,submission
> logpath  = %(postfix_log)s
> backend  = %(postfix_backend)s
> 
> 
> 
> # fail2ban-client status postfix
> Status for the jail: postfix
> |- Filter
> |  |- Currently failed:   0
> |  |- Total failed:   79
> |  `- File list:  /var/log/mail.log
> `- Actions
>   |- Currently banned:0
>   |- Total banned:0
>   `- Banned