Re: [Fail2ban-users] errors unbanning postfix IPs : Failed to execute unban jail 'postfix-auth' action 'iptables-multiport' info
Think I have this worked out. non-standard postfix-auth and thet included postfix jail enabled that may be checking for the same stuff. I’ve disabled postfix-auth. The rogue IP had been removed from iptables. Maybe by one or the other. > On 16 Mar 2018, at 18:32, René Berberwrote: > > On 3/16/2018 1:37 AM, Sophie Loewenthal wrote: > >> fail2ban.log 2018-03-15 19:12:36,066 fail2ban.actions >> [12742]: ERROR Failed to execute unban jail 'postfix-auth' action >> 'iptables-multiport' info '{'matches': 'Mar 14 21:01:44 mx10 >> postfix/smtpd[29359]: ... > connection after AUTH from unknown[60.163.89.128]', 'failures': 10, > 'time': 1521140815.757546, 'ip': '60.163.89.128'}': Error unbanning > 60.163.89.128 >> 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR >> iptables -w -D INPUT -p tcp -m multiport --dports >> http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j >> f2b-postfix > ... >> 2018-03-15 19:13:08,331 fail2ban.actions[13158]: ERROR Failed >> to stop jail 'postfix-auth' action 'iptables-multiport': Error >> stopping action > That's at least 2 different problems: > > 1. What appears to be failure to unban an IP address (bantime is up)... > Strange that the log doesn't show the actual error message, it usually > does. I would start by looking at `iptables -nL`, or specifically for > that address `iptables -nL | grep 60.163.89.128` to see if it is still > there (in f2b-postfix). > > If it is, then run the command that the log says it failed, the > `iptables -w -D INPUT -p tcp -m multiport --dports > http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix`. > But this is a weird command, it doesn't include the IP, so what's it > for? deleting the jail? Yes, that's what its doing, from the INPUT > chain it deletes f2b-postfix (side note: I use f2b-postfix-sasl only, so > I don't even have this jail, and don't need more than one for postfix). > > 2. The second problem shown is that f2b could not stop the jail (which > it tries after too many unban failures). No idea what's going on there, > perhaps stop implies delete the jail in iptables, and its all the same > problem. > >> I had some though; The unbans are for IP addresses detected on March >> 14, two days earlier. However I only enabled the chain last night, >> so think this strange that it would unban an IP from before it was >> enabled. > > That's normal, f2b uses 'findtime' to look back in the log. > -- > René Berber > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] errors unbanning postfix IPs : Failed to execute unban jail 'postfix-auth' action 'iptables-multiport' info
P.S For reference, the current f2b chain contains : Chain f2b-postfix (2 references) target prot opt source destination REJECT all -- 60.163.89.1280.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 199.168.136.102 0.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 190.223.59.180.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 190.128.186.98 0.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 183.148.86.118 0.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 183.148.79.910.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 183.148.74.250.0.0.0/0reject-with icmp-port-unreachable REJECT all -- 125.126.164.34 0.0.0.0/0reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/00.0.0.0/0 RETURN all -- 0.0.0.0/00.0.0.0/0 I had some though; The unbans are for IP addresses detected on March 14, two days earlier. However I only enabled the chain last night, so think this strange that it would unban an IP from before it was enabled. > On 16 Mar 2018, at 08:37, Sophie Loewenthalwrote: > > Good morning, > > This is interesting ( for me ). > > I read this in my logs after enabling postfix-auth on Debian 9.2 > > > fail2ban.log > 2018-03-15 19:12:36,066 fail2ban.actions[12742]: ERROR Failed to > execute unban jail 'postfix-auth' action 'iptables-multiport' info > '{'matches': 'Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection > after AUTH from unknown[60.163.89.128]Mar 14 21:01:44 mx10 > postfix/smtpd[29363]: lost connection after AUTH from > unknown[60.163.89.128]Mar 14 21:01:44 mx10 postfix/smtpd[29361]: lost > connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10 > postfix/smtpd[29359]: lost connection after AUTH from > unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29363]: lost > connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:45 mx10 > postfix/smtpd[29361]: lost connection after AUTH from > unknown[60.163.89.128]Mar 14 21:01:45 mx10 postfix/smtpd[29364]: lost > connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10 > postfix/smtpd[29361]: lost connection after AUTH from > unknown[60.163.89.128]Mar 14 21:01:46 mx10 postfix/smtpd[29363]: lost > connection after AUTH from unknown[60.163.89.128]Mar 14 21:01:46 mx10 > postfix/smtpd[29359]: lost connection after AUTH from > unknown[60.163.89.128]', 'failures': 10, 'time': 1521140815.757546, 'ip': > '60.163.89.128'}': Error unbanning 60.163.89.128 > 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables -w > -D INPUT -p tcp -m multiport --dports > http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix > 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables -w > -D INPUT -p tcp -m multiport --dports > http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix > 2018-03-15 19:13:08,331 fail2ban.action [13158]: ERROR iptables -w > -D INPUT -p tcp -m multiport --dports > http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-postfix > 2018-03-15 19:13:08,331 fail2ban.actions[13158]: ERROR Failed to > stop jail 'postfix-auth' action 'iptables-multiport': Error stopping action > > > An example from /var/log/mail.log: > Mar 14 21:01:44 mx10 postfix/smtpd[29359]: lost connection after AUTH from > unknown[60.163.89.128] > Mar 14 21:01:44 mx10 postfix/smtpd[29359]: disconnect from > unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2 > Mar 14 21:01:44 mx10 postfix/smtpd[29359]: connect from unknown[60.163.89.128] > Mar 14 21:01:45 mx10 postfix/smtpd[29359]: lost connection after AUTH from > unknown[60.163.89.128] > Mar 14 21:01:45 mx10 postfix/smtpd[29359]: disconnect from > unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2 > Mar 14 21:01:45 mx10 postfix/smtpd[29359]: connect from unknown[60.163.89.128] > Mar 14 21:01:46 mx10 postfix/smtpd[29359]: lost connection after AUTH from > unknown[60.163.89.128] > Mar 14 21:01:46 mx10 postfix/smtpd[29359]: disconnect from > unknown[60.163.89.128] ehlo=1 auth=0/1 commands=1/2 > > > fail2ban version 0.9.6-2 > > > jail.local: > [postfix] > enabled = true > logpath = /var/log/mail.log > # mail.log because I don’t log to mail.warn. Everything in one file to see > all the problems in one place. > > jail.conf > [postfix] > port = smtp,465,submission > logpath = %(postfix_log)s > backend = %(postfix_backend)s > > > > # fail2ban-client status postfix > Status for the jail: postfix > |- Filter > | |- Currently failed: 0 > | |- Total failed: 79 > | `- File list: /var/log/mail.log > `- Actions > |- Currently banned:0 > |- Total banned:0 > `- Banned