fail2ban-users — The mailing list for help on getting Fail2Ban up and running on your machine

Re: [Fail2ban-users] which filter has rules for "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root""

[Nick H. <ni...@ho...>]

I don't see how f2b could catch the first two log lines ever and do 
something with them as they don't carry the IP address.

Nick

On 30/09/2017 05:14, Bill Shirley wrote:
> Run fail2ban-client -d and compare the [sshd] section of the output to 
> [ssh-iptables] below.
>
> fail2ban parses log files so it constantly has to evolve due to 
> software updates,
> distro changes, log file locations, local customization, etc.  Any 
> answer to your
> question would just be a guess.
>
> Bill
>
> On 9/29/2017 11:40 AM, Robert Kudyba wrote:
>> Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter 
>> in /etc/fail2ban/filter.d would catch login attempts with errors such as:
>> pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user 
>> "root" : 24 time(s)
>> or:
>> Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth): 
>> requirement "uid >= 1000" not met by user "root"
>> Sep 24 05:55:06 ourserver  sshd[22772]: Failed password for root from 
>> 123.59.182.194 port 43862 ssh2
>>
>> I tried a grep 1000 */* in that directory, no results. I see an SX 
>> suggestion from 2015, https://unix.stackexchange.com/a/204393/180291
>> *"I had a ssh section on my jail local but now I see that I was 
>> missing a ssh-iptables section so it would add rules to iptables and 
>> now it works:
>> [ssh-iptables]
>>
>> enabled  = true
>> filter   = sshd
>> action   = iptables[name=SSH, port=ssh, protocol=tcp]
>>
>> logpath  = /var/log/secure
>> maxretry = 5"*
>>
>> But is this the same as enabling the[sshd]jail/filter?
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fai...@li...
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] which filter has rules for "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root""

[Bill S. <bsh...@op...>]

Run fail2ban-client -d and compare the [sshd] section of the output to [ssh-iptables] below.

fail2ban parses log files so it constantly has to evolve due to software updates,
distro changes, log file locations, local customization, etc.  Any answer to your
question would just be a guess.

Bill

On 9/29/2017 11:40 AM, Robert Kudyba wrote:
> Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter in /etc/fail2ban/filter.d would catch login attempts 
> with errors such as:
> pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 24 time(s)
> or:
> Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
> Sep 24 05:55:06 ourserver  sshd[22772]: Failed password for root from 123.59.182.194 port 43862 ssh2
>
> I tried a grep 1000 */* in that directory, no results. I see an SX suggestion from 2015, 
> https://unix.stackexchange.com/a/204393/180291
> *"I had a ssh section on my jail local but now I see that I was missing a ssh-iptables section so it would add rules to 
> iptables and now it works:
> [ssh-iptables]
>
> enabled  = true
> filter   = sshd
> action   = iptables[name=SSH, port=ssh, protocol=tcp]
>
> logpath  = /var/log/secure
> maxretry = 5"*
>
> But is this the same as enabling the[sshd]jail/filter?
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] which filter has rules for "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root""

[Robert K. <rk...@fo...>]

Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter
in /etc/fail2ban/filter.d
would catch login attempts with errors such as:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
: 24 time(s)
or:
Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth):
requirement "uid >= 1000" not met by user "root"
Sep 24 05:55:06 ourserver  sshd[22772]: Failed password for root from
123.59.182.194 port 43862 ssh2

I tried a grep 1000 */* in that directory, no results. I see an SX
suggestion from 2015, https://unix.stackexchange.com/a/204393/180291








*"I had a ssh section on my jail local but now I see that I was missing a
ssh-iptables section so it would add rules to iptables and now it
works:[ssh-iptables]enabled  = truefilter   = sshdaction   =
iptables[name=SSH, port=ssh, protocol=tcp]logpath  =
/var/log/securemaxretry = 5"*

But is this the same as enabling the [sshd] jail/filter?

Re: [Fail2ban-users] fail2ban-client get dbfile - Database currently disabled

[Stroller <str...@st...>]

> On 22 Sep 2017, at 16:31, Stroller <str...@st...> wrote:
> 
> The problem I have today is that fail2ban doesn't seem to be creating a dbfile - as per the subject line, `fail2ban-client get dbfile` shows "Database currently disabled", ...
> 
> I get the same thing if I stop the jails manually using fail2ban-client and try to set the dbfile manually with it:
> 
>   $ sudo bash -c 'for foo in sshd-badusername sshd-wrongpassword ; do fail2ban-client stop $foo ; done'
>   Jail stopped                             
>   Jail stopped
>   $ sudo fail2ban-client set dbfile /var/lib/fail2ban/fail2ban.
>   sqlite3                   
>   Database currently disabled                                                     
>   $ sudo fail2ban-client set dbpurgeage 260000                 
>   Database currently disabled                                                     
>   $

An off-list reply from a fellow Gentoo user has found the problem. He reported a problem with sqlite and getting fail2ban working after installing that package.

Perhaps that was a previous version of fail2ban, because the current version displays this message (which I overlooked) when installed:

    "If you want to use fail2ban's persistent database, then reinstall"
    "dev-lang/python with USE=sqlite"

After remerging dev-lang/python-3.4.5 with USE=sqlite (which pulls in dev-db/sqlite), and restarting fail2ban, the dbfile is created.

I appreciate your help,

Stroller.

Re: [Fail2ban-users] fail2ban-client get dbfile - Database currently disabled

[Stroller <str...@st...>]

> On 22 Sep 2017, at 16:31, Stroller <str...@st...> wrote:
> 
> The problem I have today is that fail2ban doesn't seem to be creating a dbfile - as per the subject line, `fail2ban-client get dbfile` shows "Database currently disabled", yet it is defined in 

Excuse me.

The sentence above should end: yet it is defined in both /etc/fail2ban/fail2ban.conf and /etc/fail2ban/fail2ban.local.

Stroller.

[Fail2ban-users] fail2ban-client get dbfile - Database currently disabled

[Stroller <str...@st...>]

Hello again,

The problem I have today is that fail2ban doesn't seem to be creating a dbfile - as per the subject line, `fail2ban-client get dbfile` shows "Database currently disabled", yet it is defined in 

   $ sudo fail2ban-client reload                                
   $ sudo fail2ban-client get dbfile
   Database currently disabled
   $ sudo fail2ban-client -d | head
   ['set', 'syslogsocket', 'auto']
   ['set', 'loglevel', 'INFO']
   ['set', 'logtarget', '/var/log/fail2ban.log']
   ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
   ['set', 'dbpurgeage', 260000]
   ['add', 'sshd-badusername', 'auto']
   ['set', 'sshd-badusername', 'findtime', 172800]
   ['set', 'sshd-badusername', 'ignorecommand', '']
   ['set', 'sshd-badusername', 'maxretry', 2]
   ['set', 'sshd-badusername', 'addignoreip', '127.0.0.1/8']
   $ ls /var/lib/fail2ban/
   $ ls /var/lib/fail2ban/fail2ban.sqlite3
   ls: cannot access '/var/lib/fail2ban/fail2ban.sqlite3': No such file or directory
   $ grep -Ri -e dbfile /etc/fail2ban/                          
   /etc/fail2ban/fail2ban.conf:# Options: dbfile
   /etc/fail2ban/fail2ban.conf:dbfile = /var/lib/fail2ban/fail2ban.sqlite3
   /etc/fail2ban/fail2ban.local:# Options: dbfile
   /etc/fail2ban/fail2ban.local:dbfile = /var/lib/fail2ban/fail2ban.sqlite3
   $ cat /etc/fail2ban/fail2ban.local
   [Definition]
   dbfile = /var/lib/fail2ban/fail2ban.sqlite3
   dbpurgeage = 260000
   $

AIUI it should need defining in only one of these files, but when searching the problem I found this GitHub issue: https://github.com/fail2ban/fail2ban/issues/1048

After seeing that I upgraded to fail2ban-0.9.7, but no difference.

I get the same thing if I stop the jails manually using fail2ban-client and try to set the dbfile manually with it:
   
   $ sudo bash -c 'for foo in sshd-badusername sshd-wrongpassword ; do fail2ban-client stop $foo ; done'
   Jail stopped                             
   Jail stopped
   $ sudo fail2ban-client set dbfile /var/lib/fail2ban/fail2ban.
   sqlite3                   
   Database currently disabled                                                     
   $ sudo fail2ban-client set dbpurgeage 260000                 
   Database currently disabled                                                     
   $

Any thoughts, please?

I'm not sure how necessary it is to have a persistent database, as fail2ban shows plenty of banned IP's if I restart it completely using its /etc/init.d script. Presumably it parses the whole log file at startup, anyway?

Stroller.

Re: [Fail2ban-users] sshd - different ban rules for bad password vs invalid user?

[Stroller <str...@st...>]

> On 21 Sep 2017, at 03:19, Bill Shirley <bsh...@op...> wrote:
> 
> fail2ban picks up everything in /etc/fail2ban/jail.conf and then applies
> additional/overrides from /etc/fail2ban/jail.local (and probably
> /etc/fail2ban/jail.d/*. I didn't even realize there was a jail.d folder
> until I saw your post).
> 
> In one of those configs (probably /etc/fail2ban/jail.conf) there is
> a [sshd] section that is enabled.  Add to /etc/fail2ban/jail.local:
> [sshd]
> enabled = false
> 
> Bill

Blimey! Fixed just like that. It's easy when you know how! 

I also needed to add the corresponding sections:

  [sshd-badusername]
  enabled = true

  [sshd-wrongpassword]
  enabled = true

Thank you for your help,

Stroller.

Re: [Fail2ban-users] sshd - different ban rules for bad password vs invalid user?

[Bill S. <bsh...@op...>]

fail2ban picks up everything in /etc/fail2ban/jail.conf and then applies
additional/overrides from /etc/fail2ban/jail.local (and probably
/etc/fail2ban/jail.d/*. I didn't even realize there was a jail.d folder
until I saw your post).

In one of those configs (probably /etc/fail2ban/jail.conf) there is
a [sshd] section that is enabled.  Add to /etc/fail2ban/jail.local:
[sshd]
enabled = false

Bill


On 9/20/2017 12:46 PM, Stroller wrote:
> Hello,
>
> I'm new to Fail2Ban, and still getting to grips with it.
>
> As I understand it, all matches to a filter are treated the same - using the default sshd filter a bot trying to logon as a nonexistent user is treated the same as a genuine user who has misspelled their password.
>
> I would prefer to ban an IP the second time it attempts to log on as a nonexistent user, and allow multiple password attempts if the user exists on the system.
>
> I have read some documents and HOWTOs, but seem to be struggling a bit with fail2ban's configuration concepts.
>
> I've found /etc/fail2ban/filter.d/sshd.conf and enabled it by creating a corresponding /etc/fail2ban/jail.d/sshd.conf, as per Gentoo's wiki. [1]
>
> I would have thought that the logical way to make my own filters would be to take the existing /etc/fail2ban/filter.d/sshd.conf and make two copies of it - /etc/fail2ban/filter.d/sshd-badusername.local and /etc/fail2ban/filter.d/sshd-wrongpassword.local, removing from each the unwanted regular expressions.
>
> I expected to be able to create /etc/fail2ban/jail.d/sshd-badusername.conf and /etc/fail2ban/jail.d/sshd-wrongpassword.conf with the following contents:
>
> [sshd-badusername]
> enabled  = true
> logpath = /var/log/messages
>
> [sshd-wrongpassword]
> enabled  = true
> logpath = /var/log/messages
>
> This doesn't work - when I reload fail2ban I get the messages:
>     ERROR  No file(s) found for glob /var/log/auth.log
>     ERROR  Failed during configuration: Have not found any log file for sshd jail
>
> I don't understand - I didn't think I had any jail called "sshd" anymore - I thought I had two jails, "sshd-badusername" and "sshd-wrongpassword".
>
> Fail2Ban seems highly modular and configurable, and I feel like I'm missing something important because there are too many pieces for me to visualise correctly.
>
> Stroller.
>
>
>
>
> [1] https://wiki.gentoo.org/wiki/Fail2ban#Configuration
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] sshd - different ban rules for bad password vs invalid user?

[Stroller <str...@st...>]

Hello,

I'm new to Fail2Ban, and still getting to grips with it.

As I understand it, all matches to a filter are treated the same - using the default sshd filter a bot trying to logon as a nonexistent user is treated the same as a genuine user who has misspelled their password.

I would prefer to ban an IP the second time it attempts to log on as a nonexistent user, and allow multiple password attempts if the user exists on the system.

I have read some documents and HOWTOs, but seem to be struggling a bit with fail2ban's configuration concepts.

I've found /etc/fail2ban/filter.d/sshd.conf and enabled it by creating a corresponding /etc/fail2ban/jail.d/sshd.conf, as per Gentoo's wiki. [1]

I would have thought that the logical way to make my own filters would be to take the existing /etc/fail2ban/filter.d/sshd.conf and make two copies of it - /etc/fail2ban/filter.d/sshd-badusername.local and /etc/fail2ban/filter.d/sshd-wrongpassword.local, removing from each the unwanted regular expressions.

I expected to be able to create /etc/fail2ban/jail.d/sshd-badusername.conf and /etc/fail2ban/jail.d/sshd-wrongpassword.conf with the following contents:

[sshd-badusername]
enabled  = true
logpath = /var/log/messages

[sshd-wrongpassword]
enabled  = true
logpath = /var/log/messages

This doesn't work - when I reload fail2ban I get the messages:
   ERROR  No file(s) found for glob /var/log/auth.log
   ERROR  Failed during configuration: Have not found any log file for sshd jail

I don't understand - I didn't think I had any jail called "sshd" anymore - I thought I had two jails, "sshd-badusername" and "sshd-wrongpassword". 

Fail2Ban seems highly modular and configurable, and I feel like I'm missing something important because there are too many pieces for me to visualise correctly.

Stroller.




[1] https://wiki.gentoo.org/wiki/Fail2ban#Configuration

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[Bill S. <bsh...@op...>]

You do realize if you run shorewall commands (restart|stop|clear|etc)
it will wipe out the iptables entries that fail2ban adds?  Shorewall
reloads the entire iptables.

You should use an ipset instead.  Define the ipsets in
/etc/shorewall/init:
ipset -exist create fail2ban-IPv4-port hash:ip,port timeout 3600
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

add this after the ?SECTION NEW in /etc/shorewall/rules
?COMMENT flagged by fail2ban
DROP    inet:+fail2ban-IPv4-port[src,dst]       fw
DROP    inet:+fail2ban-IPv4-ip[src]             fw

Create a /etc/fail2ban/action.d/iptables-ipset-proto4.local (a copy of
iptables-ipset-proto4.conf) and blank out:
actioncheck =
actionstart =
actionstop =
(Don't need these because the ipsets are defined in shorewall init.

Modify jails to use iptables-ipset-proto4.

Note in the boot order: Shorewall should start before fail2ban.

Bill


On 9/17/2017 6:34 AM, chaouche yacine via Fail2ban-users wrote:
> Hello Dominic,
>
> There was only 1 IP that was banned out of 4. The banned one has been unbanned after bantime (1 day) so I can't find it in 
> iptables :
>
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep 201.236.111.84
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
>
> The other 3 werent' banned by fail2ban
>
> NB : I am using shorewall, which uses iptables under the hood IIRC.
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban-regex output

[Darac M. <mai...@da...>]

On Sun, Sep 17, 2017 at 08:00:22PM +0100, Stroller wrote:
>
>
>> Date template hits:
>> |- [# of hits] date format
>> |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
>> `-
>
>
>What does this mean, please?
>
>The number of hits in square brackets makes sense, I guess, but I can't relate the date part to the dates in the logs, which are in the format "Sep 17 15:28:03 hostname sshd[4768]: Invalid user test3 from 92.222.84.103 port 60987"

The "date format" looks like it uses regex-like syntax. The blocks 
wrapped in (?:....)? are optional non-capturing groups (the second 
question-mark means "zero or one instances of the previous block", while 
the question-mark-colon at the start of the block says "this is a group, 
but don't save the contents to a variable")

So the date format can be read as "Optional (day-name and 
space), month, space, day-of-the-month, space, 24-hour-format-hours, 
colon, minutes, colon, seconds, optional (decimal-point and 
microseconds), optional (space and year)".

This matches the first part of your log line. The optional leading 
day-name is not there, then everything matches up to the seconds. There 
are no microseconds and, while there is a trailing space, the "year" 
matcher is probably numbers-only so won't match " hostname".

>
>Thanks in advance for any help,
>
>Stroller.
>
>
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>_______________________________________________
>Fail2ban-users mailing list
>Fai...@li...
>https://lists.sourceforge.net/lists/listinfo/fail2ban-users

-- 
For more information, please reread.

[Fail2ban-users] Race condition on system start up

[Nick H. <ni...@ho...>]

My self and another person are seeing a race condition in the start up 
of fail2ban on boot in ClearOS (a Centos derivative). There is a thread 
on it at 
https://www.clearos.com/clearfoundation/social/community/attack-detector-fail2ban-sshd-iptables-rule-missing-at-boot-time.

The set up is fail2ban running with 5 jails enabled through files 
dropped into /etc/fail2ban/jail.d. All files are configured to use ipset 
for blocking. In ClearOS, ip_set is not loaded by default at boot time 
so it appears that f2b must be loading it, but it is not waiting long 
enough for the module to load before applying its first ipset rule. Logs 
show:

2017-09-14 21:10:39,450 fail2ban.jail [3589]: INFO Jail 'sshd' started
2017-09-14 21:10:39,459 fail2ban.jail [3589]: INFO Jail 'sshd-ddos' started
2017-09-14 21:10:39,462 fail2ban.filtersystemd [3589]: NOTICE Jail 
started without 'journalmatch' set. Jail regexs will be checked against 
all journal entries, which is not advised for performance reasons.
2017-09-14 21:10:39,468 fail2ban.jail [3589]: INFO Jail 'proftpd' started
2017-09-14 21:10:39,487 fail2ban.jail [3589]: INFO Jail 'postfix-sasl' 
started
2017-09-14 21:10:39,498 fail2ban.filtersystemd [3589]: NOTICE Jail 
started without 'journalmatch' set. Jail regexs will be checked against 
all journal entries, which is not advised for performance reasons.
2017-09-14 21:10:39,508 fail2ban.jail [3589]: INFO Jail 'cyrus-imap' started
2017-09-14 21:10:39,557 fail2ban.action [3589]: ERROR ipset create 
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT 
--reject-with icmp-port-unreachable -- stdout: ''
2017-09-14 21:10:39,558 fail2ban.action [3589]: ERROR ipset create 
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT 
--reject-with icmp-port-unreachable -- stderr: "ipset v6.19: Cannot open 
session to kernel.\niptables v1.4.21: Set f2b-sshd doesn't exist.\n\nTry 
`iptables -h' or 'iptables --help' for more information.\n"
2017-09-14 21:10:39,563 fail2ban.action [3589]: ERROR ipset create 
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT 
--reject-with icmp-port-unreachable -- returned 2
2017-09-14 21:10:39,564 fail2ban.actions [3589]: ERROR Failed to start 
jail 'sshd' action 'iptables-ipset-proto6-allports': Error starting action

For both me and the o/p, it is only the first rule which fails. The 
error can be avoided by loading ip_set through a file in 
/etc/sysconfig/modules, forcing ip_set to load much earlier in the boot 
sequence. This indicates a race condition to me. Restarting f2b also 
works as ip_set will have loaded by then.

The distro is going down a different route which fixes it, by loading 
ip_set during the firewall load and adding a "Before=fail2ban.service" 
to the firewall systemd configuration, but this is really distro 
specific as they have their own firewall script.

Regards,

Nick

[Fail2ban-users] fail2ban-regex output

[Stroller <str...@st...>]

> Date template hits:
> |- [# of hits] date format
> |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
> `-


What does this mean, please?

The number of hits in square brackets makes sense, I guess, but I can't relate the date part to the dates in the logs, which are in the format "Sep 17 15:28:03 hostname sshd[4768]: Invalid user test3 from 92.222.84.103 port 60987"

Thanks in advance for any help,

Stroller.

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[chaouche y. <yac...@ya...>]

Dominic,



Thank you so much for your troubleshooting tips. Apparently, I shouldn't have trusted the output of fail2ban -d : 


root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix-sasl-long
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'postfix-sasl-long', 'auto']
['set', 'postfix-sasl-long', 'usedns', 'warn']
['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl-long', 'ignorecommand', '']
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl-long', 'addaction', 'shorewall']
['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl-long', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['start', 'postfix-sasl-long']
root@messagerie[10.10.10.19] ~ # 



Here it seems that the jail postfix-sasl-long exist, but when I issue the command you have given


root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get  postfix-sasl-long addaction
ERROR  NOK: ('postfix-sasl-long',) 
Sorry but the jail 'postfix-sasl-long' does not exist 
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 


The jail doesn't exit ! are there two configurations for fail2ban ? (one for the "client" and one for the "server" ?)



After restarting (the server I guess), the jail is found and the action too


root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # service fail2ban restart
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get  postfix-sasl-long addaction 
shorewall 
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 



I'll leave it like this for a day and see what I get tomorrow.

Thanks again ! 

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[Dominic R. <do...@ti...>]

On 17 September 2017 at 11:34, chaouche yacine <yac...@ya...>
wrote:

> Hello Dominic,
>
> There was only 1 IP that was banned out of 4. The banned one has been
> unbanned after bantime (1 day) so I can't find it in iptables :
>
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep
> 201.236.111.84
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #
>
> The other 3 werent' banned by fail2ban
>
> NB : I am using shorewall, which uses iptables under the hood IIRC.
>

​Too bad. It might be worth monitoring for the next time there is a
fail2ban-postfix-sasl ban and having a look in iptables then.​

I suspect that fail2ban is failing to implement the ban in iptables.

Try:
$ fail2ban-client get postfix-sasl actions
iptables-multiport

Then you can find the actual ban action (your action may differ from the
above, in which case substitute appropriately):
$ fail2ban-client get postfix-sasl action iptables-multiport actionban
<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

​This ​tells you what fail2ban is doing to execute the ban.

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[chaouche y. <yac...@ya...>]

Hello Dominic,
There was only 1 IP that was banned out of 4. The banned one has been unbanned after bantime (1 day) so I can't find it in iptables : 

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep 201.236.111.84
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 

The other 3 werent' banned by fail2ban
NB : I am using shorewall, which uses iptables under the hood IIRC.
 

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[Dominic R. <do...@ti...>]

On 17 September 2017 at 11:12, chaouche yacine via Fail2ban-users <
fai...@li...> wrote:

> Hello list,
>
> I have two problems to discuss here
> ​...
>

​Assuming your machine is using iptables you can check if a given ip is
actually banned there (during the period of fail2ban's supposed ban) - this
may help isolate where the problem is:

iptables -nL|grep -F ip.value.to.check​

example from my server (I use syslog for f2b logging):
$ sudo grep -a "fail2ban" /var/log/syslog | tail -n1
2017-09-17 11:18:01 myserver fail2ban.actions[1594]: NOTICE [postfix] Ban
14.165.80.98
$ sudo iptables -nL | grep -F 14.165.80.98
REJECT     all  --  14.165.80.98         0.0.0.0/0            reject-with
icmp-port-unreachable

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[chaouche y. <yac...@ya...>]

Same for this IP. It hasn't been banned
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 201.236.111.84.*LOGIN /var/log/mail.warn.1 
Sep 13 04:58:50 messagerie postfix/smtpd[50954]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 13 07:57:41 messagerie postfix/smtpd[60178]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 13 08:10:48 messagerie postfix/smtpd[60178]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 13 12:58:10 messagerie postfix/smtpd[17692]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 13 14:59:40 messagerie postfix/smtpd[33562]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 18:31:29 messagerie postfix/smtpd[1112]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 18:58:07 messagerie postfix/smtpd[1634]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 23:22:50 messagerie postfix/smtpd[8482]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 01:22:36 messagerie postfix/smtpd[14389]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 11:13:51 messagerie postfix/smtpd[30107]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 11:21:09 messagerie postfix/smtpd[30107]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 11:28:26 messagerie postfix/smtpd[30107]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 11:42:51 messagerie postfix/smtpd[30107]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 12:28:30 messagerie postfix/smtpd[32211]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 18:28:46 messagerie postfix/smtpd[41918]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 20:43:53 messagerie postfix/smtpd[46565]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 20:57:47 messagerie postfix/smtpd[46565]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 02:12:56 messagerie postfix/smtpd[57109]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 03:01:22 messagerie postfix/smtpd[58271]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 05:59:24 messagerie postfix/smtpd[61984]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 13:07:18 messagerie postfix/smtpd[7479]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 02:04:44 messagerie postfix/smtpd[30694]: warning: unknown[201.236.111.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 201.236.111.84 /var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 



And this other one : 

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 195.22.127.253 /var/log/mail.warn.1 
Sep 15 16:25:10 messagerie postfix/smtpd[38747]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 19:20:21 messagerie postfix/smtpd[45045]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 22:19:38 messagerie postfix/smtpd[48966]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 22:19:53 messagerie postfix/smtpd[48966]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 01:14:19 messagerie postfix/smtpd[55682]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 01:14:27 messagerie postfix/smtpd[55682]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 04:10:28 messagerie postfix/smtpd[59243]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 04:10:43 messagerie postfix/smtpd[59906]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 07:08:35 messagerie postfix/smtpd[62787]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 07:08:44 messagerie postfix/smtpd[65157]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 10:11:03 messagerie postfix/smtpd[3019]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 10:11:12 messagerie postfix/smtpd[3019]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 13:15:58 messagerie postfix/smtpd[7479]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 13:16:06 messagerie postfix/smtpd[7479]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 16:20:12 messagerie postfix/smtpd[12907]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 16:20:20 messagerie postfix/smtpd[12907]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 19:27:28 messagerie postfix/smtpd[18386]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 22:33:10 messagerie postfix/smtpd[23180]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 01:36:27 messagerie postfix/smtpd[30694]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 01:36:36 messagerie postfix/smtpd[30694]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 04:42:00 messagerie postfix/smtpd[35500]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 04:42:09 messagerie postfix/smtpd[35500]: warning: unknown[195.22.127.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 195.22.127.253 /var/log/fail2ban.log*

 


    On Sunday, September 17, 2017 11:14 AM, chaouche yacine via Fail2ban-users <fai...@li...> wrote:
 

 Hello list,

I have two problems to discuss here

163.172.20.242 : a banned IP continued to make login requests to my postfix server
2.139.229.39  : another IP that should have been banned by my postfix-sasl-long jail (10 failures in 24 hours) but hasn't.


It is divided in three parts : 


First part is for the first IP
Second part is for the second IP
Last part is the full config for my postfix jails.



FIRST IP : 163.172.20.242
=========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]  <<<<<< 5 minutes
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']

Here are the logged failures : 

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 
Sep 15 00:44:00 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:01 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
root@messagerie[10.10.10.19] ~ # 

That's 20 lines in only 27 seconds.

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 | wc -l
20
root@messagerie[10.10.10.19] ~ # 


2) Proof that is has been banned after the maxretry
---------------------------------------------------

That IP has been first banned at 00:44:01, after 5 attempts, although it is configured to ban after 3 attempts in 5 minutes.

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 163.172.20.242 /var/log/fail2ban.log*
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242
/var/log/fail2ban.log:2017-09-15 00:44:06,477 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:16,489 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:26,500 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-16 00:44:02,005 fail2ban.actions[10631]: WARNING [postfix-sasl] Unban 163.172.20.242
 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #    

3) Proof that it continued to try to login after it has been banned
-------------------------------------------------------------------

The IP has been banned at 00:44:01
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242

But it continued to try to login after that, starting at 00:44:06

Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server


SECOND IP : 2.139.229.39
========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config that should have banned it :

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400] <<<<<<< 1 day
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


It had 19 attempts in the first 24 hours, far more than the 10 maxretry configured (nearly by a factor of two), and 11 in the following 24 hours, plus 3 others, for a total of 36 attempts

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 /var/log/mail.warn.1 
Sep 14 11:56:11 messagerie postfix/smtpd[34392]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 12:23:30 messagerie postfix/smtpd[38425]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 14:53:44 messagerie postfix/smtpd[55061]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 15:24:51 messagerie postfix/smtpd[51822]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 16:09:21 messagerie postfix/smtpd[58682]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 17:23:55 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 17:30:39 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 18:51:09 messagerie postfix/smtpd[1634]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 19:04:43 messagerie postfix/smtpd[2202]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 20:46:44 messagerie postfix/smtpd[4874]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 21:27:24 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 21:40:56 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 22:04:41 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:27:32 messagerie postfix/smtpd[9260]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 02:22:29 messagerie postfix/smtpd[15942]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 04:05:28 messagerie postfix/smtpd[18713]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 08:51:57 messagerie postfix/smtpd[26630]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 09:28:31 messagerie postfix/smtpd[27272]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 10:25:28 messagerie postfix/smtpd[27943]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

--- less than 24 hours , 19 attempts ----

Sep 15 12:10:52 messagerie postfix/smtpd[31898]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 14:47:49 messagerie postfix/smtpd[36892]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 19:34:48 messagerie postfix/smtpd[45045]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 21:29:18 messagerie postfix/smtpd[47890]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 21:57:39 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 22:11:43 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 01:43:17 messagerie postfix/smtpd[56386]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 04:08:04 messagerie postfix/smtpd[59243]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 06:06:34 messagerie postfix/smtpd[61984]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 10:07:22 messagerie postfix/smtpd[3019]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Sep 16 11:48:31 messagerie postfix/smtpd[5676]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

--- less than 24 hours, 11 attempts ---
Sep 16 15:57:47 messagerie postfix/smtpd[12907]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 16:49:52 messagerie postfix/smtpd[14043]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 17:56:26 messagerie postfix/smtpd[15798]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 23:18:18 messagerie postfix/smtpd[23541]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 00:55:30 messagerie postfix/smtpd[29593]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 04:03:45 messagerie postfix/smtpd[33811]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 /var/log/mail.warn.1 | wc -l
36
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 

2) Proof that it hasn't been banned
-----------------------------------

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 2.139.229.39 /var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #  


FULL CONFIGURATION
==================

Here's my configuration for the postfix jails : I have postix, postfix-sasl and postfix-sasl-long.

The postfix jail is for rejected mail
The postfix-sasl jail is for login failures (3 in 5 minutes)
The postfix-sasl-long jail is for login failures in a longer period of time (10 in 24 hours)

root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'postfix', 'auto']
['set', 'postfix', 'usedns', 'warn']
['set', 'postfix', 'addlogpath', '/var/log/mail.log']
['set', 'postfix', 'maxretry', 3]
['set', 'postfix', 'addignoreip', '127.0.0.1/8']
['set', 'postfix', 'addignoreip', '10.10.10.0/24']
['set', 'postfix', 'addignoreip', '172.16.0.0/16']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'findtime', 600]
['set', 'postfix', 'bantime', 86400]
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 .*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 .*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*improper command pipelining after \\S+ from [^[]*\\[<HOST>\\]:?$']
['set', 'postfix', 'addaction', 'shorewall']
['set', 'postfix', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix', 'actionstop', 'shorewall', '']
['set', 'postfix', 'actionstart', 'shorewall', '']
['set', 'postfix', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix', 'actioncheck', 'shorewall', '']
['set', 'postfix', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'addaction', 'shorewall']
['set', 'postfix-sasl', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl-long', 'auto']
['set', 'postfix-sasl-long', 'usedns', 'warn']
['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl-long', 'ignorecommand', '']
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl-long', 'addaction', 'shorewall']
['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl-long', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['start', 'postfix']
['start', 'postfix-sasl']
['start', 'postfix-sasl-long']

In particular, we have the following configuration for the postfix-sasl jail that should have banned fhe first IP 163.172.20.242

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


And this config for postfix-sasl-long that should have banned the second IP 2.139.229.39

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


Any hints appreciated.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fai...@li...
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


   

[Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

[chaouche y. <yac...@ya...>]

Hello list,

I have two problems to discuss here

163.172.20.242 : a banned IP continued to make login requests to my postfix server
2.139.229.39   : another IP that should have been banned by my postfix-sasl-long jail (10 failures in 24 hours) but hasn't.


It is divided in three parts : 


First part is for the first IP
Second part is for the second IP
Last part is the full config for my postfix jails.



FIRST IP : 163.172.20.242
=========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]  <<<<<< 5 minutes
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']

Here are the logged failures : 

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 
Sep 15 00:44:00 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:01 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
root@messagerie[10.10.10.19] ~ # 

That's 20 lines in only 27 seconds.

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 | wc -l
20
root@messagerie[10.10.10.19] ~ # 


2) Proof that is has been banned after the maxretry
---------------------------------------------------

That IP has been first banned at 00:44:01, after 5 attempts, although it is configured to ban after 3 attempts in 5 minutes.

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 163.172.20.242 /var/log/fail2ban.log*
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242
/var/log/fail2ban.log:2017-09-15 00:44:06,477 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:16,489 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:26,500 fail2ban.actions[10631]: INFO    [postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-16 00:44:02,005 fail2ban.actions[10631]: WARNING [postfix-sasl] Unban 163.172.20.242
 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #     

3) Proof that it continued to try to login after it has been banned
-------------------------------------------------------------------

The IP has been banned at 00:44:01
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242

But it continued to try to login after that, starting at 00:44:06

Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server


SECOND IP : 2.139.229.39
========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config that should have banned it :

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400] <<<<<<< 1 day
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


It had 19 attempts in the first 24 hours, far more than the 10 maxretry configured (nearly by a factor of two), and 11 in the following 24 hours, plus 3 others, for a total of 36 attempts

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 /var/log/mail.warn.1 
Sep 14 11:56:11 messagerie postfix/smtpd[34392]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 12:23:30 messagerie postfix/smtpd[38425]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 14:53:44 messagerie postfix/smtpd[55061]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 15:24:51 messagerie postfix/smtpd[51822]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 16:09:21 messagerie postfix/smtpd[58682]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 17:23:55 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 17:30:39 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 18:51:09 messagerie postfix/smtpd[1634]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 19:04:43 messagerie postfix/smtpd[2202]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 20:46:44 messagerie postfix/smtpd[4874]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 21:27:24 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 21:40:56 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 14 22:04:41 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 00:27:32 messagerie postfix/smtpd[9260]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 02:22:29 messagerie postfix/smtpd[15942]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 04:05:28 messagerie postfix/smtpd[18713]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 08:51:57 messagerie postfix/smtpd[26630]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 09:28:31 messagerie postfix/smtpd[27272]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 10:25:28 messagerie postfix/smtpd[27943]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

--- less than 24 hours , 19 attempts ----

Sep 15 12:10:52 messagerie postfix/smtpd[31898]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 14:47:49 messagerie postfix/smtpd[36892]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 19:34:48 messagerie postfix/smtpd[45045]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 21:29:18 messagerie postfix/smtpd[47890]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 21:57:39 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 22:11:43 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 01:43:17 messagerie postfix/smtpd[56386]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 04:08:04 messagerie postfix/smtpd[59243]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 06:06:34 messagerie postfix/smtpd[61984]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 10:07:22 messagerie postfix/smtpd[3019]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Sep 16 11:48:31 messagerie postfix/smtpd[5676]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

--- less than 24 hours, 11 attempts ---
Sep 16 15:57:47 messagerie postfix/smtpd[12907]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 16:49:52 messagerie postfix/smtpd[14043]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 17:56:26 messagerie postfix/smtpd[15798]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 16 23:18:18 messagerie postfix/smtpd[23541]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 00:55:30 messagerie postfix/smtpd[29593]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 17 04:03:45 messagerie postfix/smtpd[33811]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 /var/log/mail.warn.1 | wc -l
36
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 

2) Proof that it hasn't been banned
-----------------------------------

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 2.139.229.39 /var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #   


FULL CONFIGURATION
==================

Here's my configuration for the postfix jails : I have postix, postfix-sasl and postfix-sasl-long.

The postfix jail is for rejected mail
The postfix-sasl jail is for login failures (3 in 5 minutes)
The postfix-sasl-long jail is for login failures in a longer period of time (10 in 24 hours)

root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'postfix', 'auto']
['set', 'postfix', 'usedns', 'warn']
['set', 'postfix', 'addlogpath', '/var/log/mail.log']
['set', 'postfix', 'maxretry', 3]
['set', 'postfix', 'addignoreip', '127.0.0.1/8']
['set', 'postfix', 'addignoreip', '10.10.10.0/24']
['set', 'postfix', 'addignoreip', '172.16.0.0/16']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'findtime', 600]
['set', 'postfix', 'bantime', 86400]
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 .*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 .*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*improper command pipelining after \\S+ from [^[]*\\[<HOST>\\]:?$']
['set', 'postfix', 'addaction', 'shorewall']
['set', 'postfix', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix', 'actionstop', 'shorewall', '']
['set', 'postfix', 'actionstart', 'shorewall', '']
['set', 'postfix', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix', 'actioncheck', 'shorewall', '']
['set', 'postfix', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'addaction', 'shorewall']
['set', 'postfix-sasl', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl-long', 'auto']
['set', 'postfix-sasl-long', 'usedns', 'warn']
['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl-long', 'ignorecommand', '']
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl-long', 'addaction', 'shorewall']
['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl-long', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['start', 'postfix']
['start', 'postfix-sasl']
['start', 'postfix-sasl-long']

In particular, we have the following configuration for the postfix-sasl jail that should have banned fhe first IP 163.172.20.242

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


And this config for postfix-sasl-long that should have banned the second IP 2.139.229.39

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$']


Any hints appreciated.

[Fail2ban-users] 0.10.0 on Scientific Linux/CentOs 7: iptables doesn't work

[Frank R. <fra...@hr...>]

Hello,

I installed fail2ban-0.10.0 on Scientific Linux 7.3  aka CentOS 7.3 with 
iptables v1.4.21, Python 2.7.5,
configured with paths-fedora.conf

I'm unable to get actions iptables or iptables-multiport to work.
There is no iptables chain f2b-...
I suspect, that no actionstart commands will be executed.
I added a simple /bin/date >> /tmp/... command to actionstart - with no effect.

See below the debug output  when starting the jail.

Any hints are welcome! (The epel-RPM 0.9.6 is working).

Thanks,
Frank

  +  141 7F29DF244740 fail2ban.jail             INFO  Creating new jail 'horde'
  +  141 7F29DF244740 fail2ban.jail             DEBUG Backend 'pyinotify' failed to initialize due to No module named pyinotify
  +  142 7F29DF244740 fail2ban.jail             DEBUG Backend 'gamin' failed to initialize due to No module named gamin
  +  142 7F29DF244740 fail2ban.jail             INFO  Jail 'horde' uses poller {}
  +  142 7F29DF244740 fail2ban.filter           DEBUG Setting usedns = warn for FilterPoll(Jail('horde'))
  +  142 7F29DF244740 fail2ban.filter           DEBUG Created FilterPoll(Jail('horde'))
  +  142 7F29DF244740 fail2ban.filterpoll       DEBUG Created FilterPoll
  +  143 7F29DF244740 fail2ban.jail             INFO  Initiated 'polling' backend
  +  143 7F29DF244740 fail2ban.server           DEBUG   failregex: '^ ERR: HORDE \\[horde\\] FAILED LOGIN for \\S+ to horde \\(<HOST>\\)(\\(forwarded for \\[\\S+\\]\\))? \\[pid \\d+ on line \\d+ of \\S+\\]$'
  +  145 7F29DF244740 fail2ban.filter           DEBUG Setting usedns = warn for FilterPoll(Jail('horde'))
  +  146 7F29DF244740 fail2ban.filter           INFO  Added logfile: '/var/log/horde.log' (pos = 0, hash = d41d8cd98f00b204e9800998ecf8427e)
  +  147 7F29DF244740 fail2ban.filter           INFO    maxRetry: 6
  +  147 7F29DF244740 fail2ban.filter           DEBUG   Add 127.0.0.0/8 to ignore list ('127.0.0.1/8')
  +  148 7F29DF244740 fail2ban.filter           INFO    encoding: UTF-8
  +  149 7F29DF244740 fail2ban.actions          INFO    banTime: 600
  +  150 7F29DF244740 fail2ban.filter           INFO    findtime: 600
  +  150 7F29DF244740 fail2ban.CommandAction    DEBUG Created <class 'fail2ban.server.action.CommandAction'>
  +  151 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionunban = '<iptables> -D f2b-HTTP -s <ip> -j <blocktype>'
  +  151 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionflush = '<iptables> -F f2b-HTTP'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionstop = '<iptables> -D INPUT -p tcp --dport https -j f2b-HTTP\n<iptables> -F f2b-HTTP\n<iptables> -X f2b-HTTP'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionstart = '<iptables> -N f2b-HTTP\n<iptables> -A f2b-HTTP -j RETURN\n<iptables> -I INPUT -p tcp --dport https -j f2b-HTTP'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionban = '<iptables> -I f2b-HTTP 1 -s <ip> -j <blocktype>'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-HTTP[ \\t]'"
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set iptables = 'iptables <lockingopt>'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set lockingopt = '-w'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/lockingopt = '-w'
  +  152 7F29DF244740 fail2ban.CommandAction    DEBUG   Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set protocol = 'tcp'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set name = 'HTTP'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set chain = 'INPUT'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/protocol = 'tcp'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/port = 'ssh'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/returntype = 'RETURN'
  +  153 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/iptables = 'iptables <lockingopt>'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/chain = 'INPUT'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set returntype = 'RETURN'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/name = 'default'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/blocktype = 'REJECT --reject-with icmp-port-unreachable'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set iptables?family=inet6 = 'ip6tables <lockingopt>'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/iptables?family=inet6 = 'ip6tables <lockingopt>'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set blocktype = 'REJECT --reject-with icmp-port-unreachable'
  +  154 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actname = 'iptables'
  +  155 7F29DF244740 fail2ban.CommandAction    DEBUG   Set port = 'https'
  +  155 7F29DF244740 fail2ban.CommandAction    DEBUG Created <class 'fail2ban.server.action.CommandAction'>
  +  156 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionban = 'printf %b "Subject: [Fail2Ban] HTTP: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <ro...@hr...>\nTo: fr...@hr...\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against HTTP.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ro...@hr... fr...@hr...'
  +  156 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionstop = 'printf %b "Subject: [Fail2Ban] HTTP: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <ro...@hr...>\nTo: fr...@hr...\\n\nHi,\\n\nThe jail HTTP has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ro...@hr... fr...@hr...'
  +  156 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actioncheck = ''
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set norestored = True
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionstart = 'printf %b "Subject: [Fail2Ban] HTTP: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <ro...@hr...>\nTo: fr...@hr...\\n\nHi,\\n\nThe jail HTTP has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ro...@hr... fr...@hr...'
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actionunban = ''
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set name = 'HTTP'
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/sender = 'fail2ban'
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set dest = 'fr...@hr...'
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/dest = 'root'
  +  157 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/name = 'default'
  +  158 7F29DF244740 fail2ban.CommandAction    DEBUG   Set known/sendername = 'Fail2Ban'
  +  158 7F29DF244740 fail2ban.CommandAction    DEBUG   Set actname = 'sendmail'
  +  158 7F29DF244740 fail2ban.CommandAction    DEBUG   Set sendername = 'Fail2Ban'
  +  158 7F29DF244740 fail2ban.CommandAction    DEBUG   Set sender = 'ro...@hr...'
  +  158 7F29DF244740 fail2ban.jail             DEBUG Starting jail 'sshd'
  +  160 7F29DF244740 fail2ban.jail             INFO  Jail 'sshd' started
  +  160 7F29DF244740 fail2ban.jail             DEBUG Starting jail 'horde'
  +  160 7F29CDA16700 fail2ban.filterpoll       DEBUG /var/log/horde.log has been modified
  +  161 7F29CDA16700 fail2ban.filter           DEBUG Seek to find time 1505379085.7 (2017-09-14 10:51:25), file size 0
  +  161 7F29CDA16700 fail2ban.filter           DEBUG Position -1 from 0, found time None () within 0 seeks
  +  161 7F29DF244740 fail2ban.jail             INFO  Jail 'horde' started
  +  164 7F29CD215700 fail2ban.action           DEBUG printf %b "Subject: [Fail2Ban] HTTP: started on <fq-hostname>
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <ro...@hr...>
To: fr...@hr...\n
Hi,\n
The jail HTTP has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f ro...@hr... fr...@hr...
  +  183 7F29CD215700 fail2ban.utils            DEBUG 7f29b8001a40 -- returned successfully 0

-- 
Frank Richter
Computing Services, Chemnitz University of Technology, Germany

Re: [Fail2ban-users] fail2ban or iptables?

[Bill S. <bsh...@op...>]

Here's how to add another port:
Tell selinux:
semanage port -a -t ssh_port_t -p tcp 2112

/etc/ssh/sshd_config:
# My changes
Port 22
Port 2112

[0:root@yoda ~]$ netstat -anp | grep ssh
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN 1677/sshd
tcp        0      0 0.0.0.0:2112 0.0.0.0:*               LISTEN      1677/sshd

Bill

On 9/11/2017 10:51 AM, Eckert, Doug wrote:
> My fault for trusting what I was told instead of looking myself.
>
> I was told the second ssh was listening on 2112, when in fact it was listening on 22. So, fail2ban was banning port 2112, but 
> 22 traffic was uninhibited.
>
> On Mon, Sep 11, 2017 at 10:28 AM, Eckert, Doug <dou...@do... <mailto:dou...@do...>> wrote:
>
>     Here's the current date and iptables list
>
>     # date
>     Mon Sep 11 10:23:19 EDT 2017
>     # iptables -nvL --line-numbers
>     Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
>     num   pkts bytes target     prot opt in     out     source destination
>     1        0     0 f2b-sshdext  tcp  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> multiport dports
>     2112
>     2    1891K  113M f2b-vsftpd  tcp  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> multiport dports
>     21,20,990,989
>
>     Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>     num   pkts bytes target     prot opt in     out     source destination
>
>     Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
>     num   pkts bytes target     prot opt in     out     source destination
>
>     Chain f2b-sshdext (1 references)
>     num   pkts bytes target     prot opt in     out     source destination
>     1        0     0 REJECT     all  --  *      *       172.26.47.66 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     2        0     0 REJECT     all  --  *      *       103.89.89.149 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     3        0     0 REJECT     all  --  *      *       90.150.90.116 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     4        0     0 REJECT     all  --  *      *       190.218.115.115 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     5        0     0 REJECT     all  --  *      *       193.201.224.212 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     6        0     0 REJECT     all  --  *      *       117.239.39.51 0.0.0.0/0 <http://0.0.0.0/0> reject-with
>     icmp-port-unreachable
>     7        0     0 RETURN     all  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
>     Chain f2b-vsftpd (1 references)
>     num   pkts bytes target     prot opt in     out     source destination
>     1    1891K  113M RETURN     all  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
>
>     And a snapshot of /var/log/secure (active sessions from that IP still hitting the daemon)
>
>     # tail -f secure | grep failure
>     Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>     rhost=193.201.224.212
>     Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>     rhost=193.201.224.212
>     Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>     rhost=193.201.224.212
>     Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>     rhost=193.201.224.212
>
>
>     'sshdext' is a second sshd running on 2112. Entry made in /etc/services for it, as well as a matching file in filter.d.
>     The regex seems to be doing its job, as iptables entries are there.
>
>
>
>     On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <bsh...@op... <mailto:bsh...@op...>> wrote:
>
>         A host can have multiple addresses; multiple PTRs can point to a host.  You
>         should use 'iptables -nvL' and compare banned IP addresses instead of
>         hostnames.
>
>         Bill
>
>
>         On 9/9/2017 6:56 AM, Doug Eckert wrote:
>>         the name & port have been added to /etc/services. I also copied filter.d/ssh.conf to filter.d/sshdext.conf and edited
>>         to match.
>>
>>         The right source ip an dest port is added to iptables, but traffic is still getting through for some reason.
>>
>>         On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <do...@ti... <mailto:do...@ti...>> wrote:
>>
>>             On 8 September 2017 at 16:22, Eckert, Doug <dou...@do... <mailto:dou...@do...>> wrote:
>>
>>                 CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and iptables-1.4.7-16.el6.x86_64
>>
>>                 Not sure where my issue lies. It appears that f2b is processing the log file(s) fine and adding 'iptables'
>>                 rules, but I still see connection attempts and authentication errors on the ssh daemon.
>>
>>                 Example. From /var/log/messages, it triggered a ban for this IP at 0858hrs
>>
>>                 Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban 124.190.106.117
>>
>>                 'iptables' shows the IP should be DROPping
>>
>>                 # iptables --list
>>                 Chain INPUT (policy ACCEPT)
>>                 target     prot opt source destination
>>                 f2b-sshdext  tcp  --  anywhere anywhere  multiport dports sshdext
>>                 f2b-vsftpd  tcp  --  anywhere anywhere  multiport dports ftp,ftp-data,ftps,ftps-data
>>
>>                 ​...
>>
>>                 The 'sshdext' serivce is just 'sshd' running on an alternate port for external users - corporate firewall
>>                 blocks incoming port 22.
>>
>>
>>             ​I am not an expert but I am puzzled by line:
>>
>>             f2b-sshdext  tcp  --  anywhere anywhere            multiport dports sshdext
>>
>>             How does iptables --list know which port is 'sshdext'?
>>
>>             'iptables --list -n' will show the numeric values (and is fast), then you can see if this rule is indeed covering
>>             the correct port.​
>>             ------------------------------------------------------------------------------
>>             Check out the vibrant tech community on one of the world's most
>>             engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
>>             Fail2ban-users mailing list
>>             Fai...@li... <mailto:Fai...@li...>
>>             https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>             <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
>>
>>         -- 
>>
>>
>>         *Doug Eckert*
>>         Technical Architect - Systems Technology Services
>>
>>         Dow Jones <http://www.dowjones.com/>
>>
>>          P.O. Box 300 | Princeton NJ 08543-0300
>>         (W) 609.520.4993 <tel:%28609%29%20520-4993> (C) 732.666.3681 <tel:%28732%29%20666-3681>
>>         *Email: **dou...@do...* <mailto:al...@do...>**
>>
>>
>>
>>
>>         ------------------------------------------------------------------------------
>>         Check out the vibrant tech community on one of the world's most
>>         engaging tech sites, Slashdot.org!http://sdm.link/slashdot
>>
>>
>>         _______________________________________________
>>         Fail2ban-users mailing list
>>         Fai...@li... <mailto:Fai...@li...>
>>         https://lists.sourceforge.net/lists/listinfo/fail2ban-users <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
>
>
>         ------------------------------------------------------------------------------
>         Check out the vibrant tech community on one of the world's most
>         engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>         _______________________________________________
>         Fail2ban-users mailing list
>         Fai...@li... <mailto:Fai...@li...>
>         https://lists.sourceforge.net/lists/listinfo/fail2ban-users <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
>
>
>
>
>     -- 
>
>
>     *Doug Eckert*
>     Technical Architect - Systems Technology Services
>
>     Dow Jones <http://www.dowjones.com/>
>
>      P.O. Box 300 | Princeton NJ 08543-0300
>     (W) 609.520.4993 <tel:%28609%29%20520-4993> (C) 732.666.3681 <tel:%28732%29%20666-3681>
>     *Email: **dou...@do...* <mailto:al...@do...>**
>
>
>
>
>
> -- 
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> Dow Jones <http://www.dowjones.com/>
>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 (C) 732.666.3681
> *Email: **dou...@do...* <mailto:al...@do...>**
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

[Eckert, D. <dou...@do...>]

My fault for trusting what I was told instead of looking myself.

I was told the second ssh was listening on 2112, when in fact it was
listening on 22. So, fail2ban was banning port 2112, but 22 traffic was
uninhibited.

On Mon, Sep 11, 2017 at 10:28 AM, Eckert, Doug <dou...@do...>
wrote:

> Here's the current date and iptables list
>
> # date
> Mon Sep 11 10:23:19 EDT 2017
> # iptables -nvL --line-numbers
> Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1        0     0 f2b-sshdext  tcp  --  *      *       0.0.0.0/0
>  0.0.0.0/0           multiport dports 2112
> 2    1891K  113M f2b-vsftpd  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           multiport dports 21,20,990,989
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
> num   pkts bytes target     prot opt in     out     source
> destination
>
> Chain f2b-sshdext (1 references)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1        0     0 REJECT     all  --  *      *       172.26.47.66
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 2        0     0 REJECT     all  --  *      *       103.89.89.149
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 3        0     0 REJECT     all  --  *      *       90.150.90.116
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 4        0     0 REJECT     all  --  *      *       190.218.115.115
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 5        0     0 REJECT     all  --  *      *       193.201.224.212
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 6        0     0 REJECT     all  --  *      *       117.239.39.51
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 7        0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain f2b-vsftpd (1 references)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1    1891K  113M RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
> And a snapshot of /var/log/secure (active sessions from that IP still
> hitting the daemon)
>
> # tail -f secure | grep failure
> Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
> Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
>
>
> 'sshdext' is a second sshd running on 2112. Entry made in /etc/services
> for it, as well as a matching file in filter.d. The regex seems to be doing
> its job, as iptables entries are there.
>
>
>
> On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <bshirley@openmri-scottsboro.
> com> wrote:
>
>> A host can have multiple addresses; multiple PTRs can point to a host.
>> You
>> should use 'iptables -nvL' and compare banned IP addresses instead of
>> hostnames.
>>
>> Bill
>>
>>
>> On 9/9/2017 6:56 AM, Doug Eckert wrote:
>>
>> the name & port have been added to /etc/services. I also copied
>> filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.
>>
>> The right source ip an dest port is added to iptables, but traffic is
>> still getting through for some reason.
>>
>> On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <do...@ti...>
>> wrote:
>>
>>> On 8 September 2017 at 16:22, Eckert, Doug <dou...@do...>
>>> wrote:
>>>
>>>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>>>> iptables-1.4.7-16.el6.x86_64
>>>>
>>>> Not sure where my issue lies. It appears that f2b is processing the log
>>>> file(s) fine and adding 'iptables' rules, but I still see connection
>>>> attempts and authentication errors on the ssh daemon.
>>>>
>>>> Example. From /var/log/messages, it triggered a ban for this IP at
>>>> 0858hrs
>>>>
>>>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>>>> 124.190.106.117
>>>>
>>>> 'iptables' shows the IP should be DROPping
>>>>
>>>> # iptables --list
>>>> Chain INPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> f2b-sshdext  tcp  --  anywhere             anywhere
>>>>  multiport dports sshdext
>>>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>>>> dports ftp,ftp-data,ftps,ftps-data
>>>>
>>> ​...
>>>>
>>> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>>>> external users - corporate firewall blocks incoming port 22.
>>>>
>>>
>>> ​I am not an expert but I am puzzled by line:
>>>
>>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>>> dports sshdext
>>>
>>> How does iptables --list know which port is 'sshdext'?
>>>
>>> 'iptables --list -n' will show the numeric values (and is fast), then
>>> you can see if this rule is indeed covering the correct port.​
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>>> _________________________________________
>>> Fail2ban-users mailing list
>>> Fai...@li...
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>> --
>>
>>
>> *Doug Eckert*
>> Technical Architect - Systems Technology Services
>>
>> [image: Dow Jones] <http://www.dowjones.com/>
>>  P.O. Box 300 | Princeton NJ 08543-0300
>> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
>> *Email: **dou...@do...* <al...@do...>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fai...@li...
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>
>
> --
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> [image: Dow Jones] <http://www.dowjones.com/>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
> *Email: **dou...@do...* <al...@do...>
>
>
>


-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **dou...@do...* <al...@do...>

Re: [Fail2ban-users] fail2ban or iptables?

[Eckert, D. <dou...@do...>]

Here's the current date and iptables list

# date
Mon Sep 11 10:23:19 EDT 2017
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 f2b-sshdext  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 2112
2    1891K  113M f2b-vsftpd  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 21,20,990,989

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
num   pkts bytes target     prot opt in     out     source
destination

Chain f2b-sshdext (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 REJECT     all  --  *      *       172.26.47.66
0.0.0.0/0           reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       103.89.89.149
0.0.0.0/0           reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       90.150.90.116
0.0.0.0/0           reject-with icmp-port-unreachable
4        0     0 REJECT     all  --  *      *       190.218.115.115
0.0.0.0/0           reject-with icmp-port-unreachable
5        0     0 REJECT     all  --  *      *       193.201.224.212
0.0.0.0/0           reject-with icmp-port-unreachable
6        0     0 REJECT     all  --  *      *       117.239.39.51
0.0.0.0/0           reject-with icmp-port-unreachable
7        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain f2b-vsftpd (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1    1891K  113M RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0


And a snapshot of /var/log/secure (active sessions from that IP still
hitting the daemon)

# tail -f secure | grep failure
Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212
Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.201.224.212


'sshdext' is a second sshd running on 2112. Entry made in /etc/services for
it, as well as a matching file in filter.d. The regex seems to be doing its
job, as iptables entries are there.



On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <
bsh...@op...> wrote:

> A host can have multiple addresses; multiple PTRs can point to a host.  You
> should use 'iptables -nvL' and compare banned IP addresses instead of
> hostnames.
>
> Bill
>
>
> On 9/9/2017 6:56 AM, Doug Eckert wrote:
>
> the name & port have been added to /etc/services. I also copied
> filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.
>
> The right source ip an dest port is added to iptables, but traffic is
> still getting through for some reason.
>
> On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <do...@ti...>
> wrote:
>
>> On 8 September 2017 at 16:22, Eckert, Doug <dou...@do...>
>> wrote:
>>
>>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>>> iptables-1.4.7-16.el6.x86_64
>>>
>>> Not sure where my issue lies. It appears that f2b is processing the log
>>> file(s) fine and adding 'iptables' rules, but I still see connection
>>> attempts and authentication errors on the ssh daemon.
>>>
>>> Example. From /var/log/messages, it triggered a ban for this IP at
>>> 0858hrs
>>>
>>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>>> 124.190.106.117
>>>
>>> 'iptables' shows the IP should be DROPping
>>>
>>> # iptables --list
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>>> dports sshdext
>>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>>> dports ftp,ftp-data,ftps,ftps-data
>>>
>> ​...
>>>
>> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>>> external users - corporate firewall blocks incoming port 22.
>>>
>>
>> ​I am not an expert but I am puzzled by line:
>>
>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>> dports sshdext
>>
>> How does iptables --list know which port is 'sshdext'?
>>
>> 'iptables --list -n' will show the numeric values (and is fast), then you
>> can see if this rule is indeed covering the correct port.​
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Fail2ban-users mailing list
>> Fai...@li...
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> --
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> [image: Dow Jones] <http://www.dowjones.com/>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 <(609)%20520-4993> (C) 732.666.3681 <(732)%20666-3681>
> *Email: **dou...@do...* <al...@do...>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Fail2ban-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>


-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **dou...@do...* <al...@do...>

Re: [Fail2ban-users] fail2ban or iptables?

[Bill S. <bsh...@op...>]

A host can have multiple addresses; multiple PTRs can point to a host.  You
should use 'iptables -nvL' and compare banned IP addresses instead of
hostnames.

Bill


On 9/9/2017 6:56 AM, Doug Eckert wrote:
> the name & port have been added to /etc/services. I also copied filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.
>
> The right source ip an dest port is added to iptables, but traffic is still getting through for some reason.
>
> On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <do...@ti... <mailto:do...@ti...>> wrote:
>
>     On 8 September 2017 at 16:22, Eckert, Doug <dou...@do... <mailto:dou...@do...>> wrote:
>
>         CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and iptables-1.4.7-16.el6.x86_64
>
>         Not sure where my issue lies. It appears that f2b is processing the log file(s) fine and adding 'iptables' rules, but
>         I still see connection attempts and authentication errors on the ssh daemon.
>
>         Example. From /var/log/messages, it triggered a ban for this IP at 0858hrs
>
>         Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban 124.190.106.117
>
>         'iptables' shows the IP should be DROPping
>
>         # iptables --list
>         Chain INPUT (policy ACCEPT)
>         target     prot opt source destination
>         f2b-sshdext  tcp  --  anywhere   anywhere            multiport dports sshdext
>         f2b-vsftpd  tcp  --  anywhere anywhere            multiport dports ftp,ftp-data,ftps,ftps-data
>
>         ​...
>
>         The 'sshdext' serivce is just 'sshd' running on an alternate port for external users - corporate firewall blocks
>         incoming port 22.
>
>
>     ​I am not an expert but I am puzzled by line:
>
>     f2b-sshdext  tcp  --  anywhere             anywhere  multiport dports sshdext
>
>     How does iptables --list know which port is 'sshdext'?
>
>     'iptables --list -n' will show the numeric values (and is fast), then you can see if this rule is indeed covering the
>     correct port.​
>     ------------------------------------------------------------------------------
>     Check out the vibrant tech community on one of the world's most
>     engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
>     Fail2ban-users mailing list
>     Fai...@li... <mailto:Fai...@li...>
>     https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
> -- 
>
>
> *Doug Eckert*
> Technical Architect - Systems Technology Services
>
> Dow Jones <http://www.dowjones.com/>
>
>  P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 (C) 732.666.3681
> *Email: **dou...@do...* <mailto:al...@do...>**
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

[Doug E. <Dou...@do...>]

the name & port have been added to /etc/services. I also copied
filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.

The right source ip an dest port is added to iptables, but traffic is still
getting through for some reason.

On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <do...@ti...>
wrote:

> On 8 September 2017 at 16:22, Eckert, Doug <dou...@do...>
> wrote:
>
>> CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
>> iptables-1.4.7-16.el6.x86_64
>>
>> Not sure where my issue lies. It appears that f2b is processing the log
>> file(s) fine and adding 'iptables' rules, but I still see connection
>> attempts and authentication errors on the ssh daemon.
>>
>> Example. From /var/log/messages, it triggered a ban for this IP at 0858hrs
>>
>> Sep  8 08:58:20 ####### fail2ban.actions[28791]: NOTICE [sshdext] Ban
>> 124.190.106.117
>>
>> 'iptables' shows the IP should be DROPping
>>
>> # iptables --list
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
>> dports sshdext
>> f2b-vsftpd  tcp  --  anywhere             anywhere            multiport
>> dports ftp,ftp-data,ftps,ftps-data
>>
> ​...
>>
> The 'sshdext' serivce is just 'sshd' running on an alternate port for
>> external users - corporate firewall blocks incoming port 22.
>>
>
> ​I am not an expert but I am puzzled by line:
>
> f2b-sshdext  tcp  --  anywhere             anywhere            multiport
> dports sshdext
>
> How does iptables --list know which port is 'sshdext'?
>
> 'iptables --list -n' will show the numeric values (and is fast), then you
> can see if this rule is indeed covering the correct port.​
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
-- 


*Doug Eckert*
Technical Architect - Systems Technology Services

[image: Dow Jones] <http://www.dowjones.com/>
 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **dou...@do...* <al...@do...>