Re: [Fail2ban-users] Probs with fail2ban and postfix/postscreen

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Am 14.02.2014 19:28, schrieb Steven Hiscocks:
> Andreas,
>
> I'd recommend updating fail2ban to the latest version, or at least 
> updating the `postfix.conf`. It has a few more regex's which may help 
> (554 and 550 response code regex's), and also the one you are using has 
> a known exploit for denial of service (CVE-2013-7176).
>
> On 14/02/14 18:12, Fail2ban Mailingliste wrote:
>> Hi there,
>>
>> I've changed my mailserver to recent version of postfix and changed the
>> config to postscreen. The mailserver is running fine but fail2ban didn't
>> ban the spammers after the change of postscreen.
>>
>> Here are some logs:
>>
>> [root@mail fail2ban]# fail2ban-regex /var/log/maillog
>> /etc/fail2ban/filter.d/postfix.conf
>>
>> Running tests
>> =============
>>
>> Use   failregex file : /etc/fail2ban/filter.d/postfix.conf
>> Use         log file : /var/log/maillog
>>
>>
>> Results
>> =======
>>
>> Failregex: 3 total
>> |-  #) [# of hits] regular expression
>> |   5) [3] reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 550
>> `-
>>
>> Ignoreregex: 0 total
>>
>> Date template hits:
>> |- [# of hits] date format
>> |  [7234] MONTH Day Hour:Minute:Second
>> `-
>>
>> Lines: 7234 lines, 0 ignored, 3 matched, 7231 missed
>> Missed line(s):: too many to print.  Use --print-all-missed to print all
>> 7231 lines
>> [root@mail fail2ban]#
>>
>> First Question: what does the last 2 rows mean?
>> Second: there are 3 Result, but no ban, why?
>>
>> Example
>> [root@mail fail2ban]# grep "NOQUEUE: reject: RCPT from
>> vm-moneyweb03.vm.hosting.co.za" /var/log/maillog | wc -l
>> 24
>>
>>
>> [root@mail fail2ban]#
>>
>> /etc/fail2ban/jail.conf
>>
>> ....
>> [postfix-tcpwrapper]
>>
>> enabled  = true
>> filter   = postfix
>> action   = iptables[name=postfix, port=smtp, protocol=tcp]
>>             sendmail[name=Postfix, dest=pos...@ri...]
>> logpath = /var/log/maillog
>> bantime = 3600
>> maxretry = 2
>>
>> ......
>>
>> Can anybody help me to get it work?
>>
>>
>> Thanks
>>
>> Andreas
>>
>> ------------------------------------------------------------------------------
>> Android apps run on BlackBerry 10
>> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
>> Now with support for Jelly Bean, Bluetooth, Mapview and more.
>> Get your Android app in front of a whole new audience.  Start now.
>> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fai...@li...
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
Hi Steven,

thank you for the fast reply. I've updated my system (CentOS 6.5) to
fail2ban-0.8.12 but the

failregex didn't find anything:
[root@mail fail2ban-0.8.12]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/postfix.conf
Use         log file : /var/log/maillog

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [7432] MONTH Day Hour:Minute:Second
`-

Lines: 7432 lines, 0 ignored, 0 matched, 7432 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 7432 lines
[root@mail fail2ban-0.8.12]#

Thanks

Andreas