Fail2Ban / Bugs / #77 curl in blocklist.de action return error 22

#77 curl in blocklist.de action return error 22

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2018-01-26

Created: 2018-01-26

Creator: Anthony

Private: No

Ubuntu 16.04.3 LTS
fail2ban 0.9.3-1

In /etc/fail2ban/action.d/blocklist_de.conf
actionban = curl --fail -v -m 300 --connect-timeout 180 -G --no-alpn --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode $'logs=<matches>\n\n' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"

It always failed when it is triggered, an example of log entries in /var/log/fail2ban.log,

2018-01-26 18:06:06,437 fail2ban.action [6249]: ERROR curl --fail -v -m 300 --connect-timeout 180 -G --no-alpn --data-urlencode 'server=me@lion.sith.ninja' --data 'apikey=3c79ed4a71' --data 'service=postfix-sasl' --data 'ip=95.59.137.196' --data-urlencode $'logs=Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\n\n' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" -- stderr: b' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 Trying 2a00:1158:2:6d00::2...\n Connected to www.blocklist.de (2a00:1158:2:6d00::2) port 443 (#0)\n found 148 certificates in /etc/ssl/certs/ca-certificates.crt\n found 610 certificates in /etc/ssl/certs\n SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256\n \t server certificate verification OK\n \t server certificate status verification SKIPPED\n \t common name: .blocklist.de (matched)\n \t server certificate expiration date OK\n \t server certificate activation date OK\n \t certificate public key: RSA\n \t certificate version: #3\n \t subject: OU=Domain Control Validated,CN=.blocklist.de\n \t start date: Sun, 17 Dec 2017 20:58:41 GMT\n \t expire date: Thu, 17 Jan 2019 20:58:41 GMT\n \t issuer: C=BE,O=GlobalSign nv-sa,CN=AlphaSSL CA - SHA256 - G2\n \t compression: NULL\n> GET /en/httpreports.html?server=me%40lion.sith.ninja&apikey=3c79ed4a71&service=postfix-sasl&ip=95.59.137.196&$logs=Jan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%5Cn%5Cn&format=text HTTP/1.1\r\n> Host: www.blocklist.de\r\n> User-Agent: fail2ban v0.8.12\r\n> Accept: /\r\n> \r\n The requested URL returned error: 400 Bad Request\n\r 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0\n* Closing connection 0\ncurl: (22) The requested URL returned error: 400 Bad Request\n'
2018-01-26 18:06:06,437 fail2ban.action [6249]: ERROR curl --fail -v -m 300 --connect-timeout 180 -G --no-alpn --data-urlencode 'server=me@lion.sith.ninja' --data 'apikey=3c79ed4a71' --data 'service=postfix-sasl' --data 'ip=95.59.137.196' --data-urlencode $'logs=Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\n\n' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" -- returned 22
2018-01-26 18:06:06,438 fail2ban.actions [6249]: ERROR Failed to execute ban jail 'postfix-sasl' action 'blocklist_de' info 'CallingMap({'failures': 6, 'time': 1516961164.5995605, 'ip': '95.59.137.196', 'ipjailmatches': <function Actions.__checkBan.<locals="">.<lambda> at 0x7fc3e82aeb70>, 'ipmatches': <function Actions.__checkBan.<locals="">.<lambda> at 0x7fc3e82aeea0>, 'matches': 'Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\nJan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\nJan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\nJan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\nJan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\nJan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure', 'ipjailfailures': <function Actions.__checkBan.<locals="">.<lambda> at 0x7fc3e82aebf8>, 'ipfailures': <function Actions.__checkBan.<locals="">.<lambda> at 0x7fc3e82aed90>})': Error banning 95.59.137.196

But it can work well on bash:

$ curl --fail -v -m 300 --connect-timeout 180 -G --no-alpn --data-urlencode 'server=me@lion.sith.ninja' --data 'apikey=3c79ed4a71' --data 'service=postfix-sasl' --data 'ip=95.59.137.196' --data-urlencode $'logs=Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure

Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure
Jan 22 18:25:31 linode postfix/smtpd[27522]: warning: unknown[95.59.137.196]: SASL LOGIN authentication failed: authentication failure\n\n' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
Trying 2a00:1158:2:6d00::2...
Connected to www.blocklist.de (2a00:1158:2:6d00::2) port 443 (#0)
found 148 certificates in /etc/ssl/certs/ca-certificates.crt
found 610 certificates in /etc/ssl/certs
SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
server certificate verification OK
server certificate status verification SKIPPED
common name: .blocklist.de (matched)
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
subject: OU=Domain Control Validated,CN=.blocklist.de
start date: Sun, 17 Dec 2017 20:58:41 GMT
expire date: Thu, 17 Jan 2019 20:58:41 GMT
issuer: C=BE,O=GlobalSign nv-sa,CN=AlphaSSL CA - SHA256 - G2
compression: NULL
GET /en/httpreports.html?server=me%40lion.sith.ninja&apikey=3c79ed4a71&service=postfix-sasl&ip=95.59.137.196&logs=Jan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0AJan%2022%2018%3A25%3A31%20linode%20postfix%2Fsmtpd%5C%5B27522%5C%5D%3A%20warning%3A%20unknown%5C%5B95.59.137.196%5C%5D%3A%20SASL%20LOGIN%20authentication%20failed%3A%20authentication%20failure%0A%0A&format=text HTTP/1.1
Host: www.blocklist.de
User-Agent: fail2ban v0.8.12
Accept: /*

< HTTP/1.1 200 OK
< Server: nginx/1.12.2
< Date: Fri, 26 Jan 2018 10:26:10 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=20
< Vary: Accept-Encoding
< X-Frame-Options: sameorigin
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: SAMEORIGIN
<
* Connection #0 to host www.blocklist.de left intact
status: success
error: 0
me@linode:~$ echo $?
0

How could this happened?

Discussion

Anthony - 2018-01-26

Case closed by some extra findings

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

curl in blocklist.de action return error 22

Group

Searches

Help

#77 curl in blocklist.de action return error 22

It always failed when it is triggered, an example of log entries in /var/log/fail2ban.log,

But it can work well on bash:

Discussion