From: Tony C. <to...@ev...> - 2017-09-03 09:31:08
|
Can you grep/zgrep to get the fail2ban logs that show when fail2ban has actually "found" the specific log entries for the IP that's being banned? Depending on what version you're using, the log file will show the timestamp from the actual log file, so you can troubleshoot exactly what failures it's finding. So, I'm not after the dovecot log but the fail2ban log saying "found [ip address]". For example, my fail2ban.log shows this for my "crawlers" jail: 2017-09-01 08:45:52,144 fail2ban.filter [2469]: INFO [crawlers] Found XX.XX.XX.XX - 2017-08-31 08:55:10 Because it shows the actual time of the item in the original log file, this will help to clarify exactly what is causing f2b to ban these addresses - whether it's getting duplicate info from somewhere, for example. If you can grep for that ip address in fail2ban.log you'll get a clear picture of exactly what it's "found" to make it ban the address. Often, when this has happened to me it's related to rotating of log files - if a log file is rotated and renamed, fail2ban might "find" the failure as a new failure. So if you've got it in dovecot.log and then dovecot.log gets rotated to dovecot.log.1, fail2ban can find it as a new failure cos dovecot.log.1 is a "new" file, so fail2ban says "oh look, all these new failures in this log file". But you've only got "dovecot.log" as your logpath in your jail conf, so unless you've got some other program that's doing something with the log file, I guess that can't be the problem. It's worth mentioning in case it sparks an idea. Tony Collins On 27 August 2017 at 15:08, chaouche yacine via Fail2ban-users < fai...@li...> wrote: > Dear list, > > THE SETUP > --------- > I decided to have two jails to monitor my dovecot log : one for the small > time frame [dovecot] and one for the large time frame [dovecot-long]. > > [dovecot] > enabled = true > port = all > filter = dovecot > logpath = /var/log/dovecot.log > > [dovecot-long] > findtime = 86400 > maxretries = 10 > # 5 days > bantime = 432000 > enabled = true > port = all > filter = dovecot > logpath = /var/log/dovecot.log > > > THE EXPECTED RESULTS > -------------------- > The dovecot-long jail should ban after 10 fails in 1 day. > > THE ACTUAL RESULTS > ------------------ > The dovecot-long jail is banning an IP that hasn't 10 fails in 1 day. For > example : > > root@messagerie[10.10.10.19] ~ # zgrep imap-login.*221.228.229.49 > /var/log/dovecot.log* > /var/log/dovecot.log.2.gz:Aug 25 12:40:31 imap-login: Info: Disconnected > (auth failed, 1 attempts in 7 secs): user=<a.c...@do...d>, > method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS, > session=<tWMlaZJX9ADd5OUx> > /var/log/dovecot.log.2.gz:Aug 25 23:15:36 imap-login: Info: Disconnected > (auth failed, 1 attempts in 5 secs): user=<adm...@do...d>, > method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS, > session=<PKyLSJtXXgDd5OUx> > /var/log/dovecot.log.2.gz:Aug 26 01:49:50 imap-login: Info: Disconnected > (auth failed, 1 attempts in 8 secs): user=<co...@do...d>, > method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS: Disconnected, > session=<nGftb51X/ADd5OUx> > /var/log/dovecot.log.4.gz:Jul 30 11:00:38 imap-login: Info: Disconnected > (auth failed, 1 attempts in 5 secs): user=<sde>, method=PLAIN, > rip=221.228.229.49, lip=10.10.10.19, TLS: Disconnected, > session=<Kv0q/IVVaQDd5OUx> > /var/log/dovecot.log.4.gz:Aug 05 17:48:28 imap-login: Info: Disconnected > (auth failed, 1 attempts in 8 secs): user=<ch...@do...d>, > method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS, > session=<lVyQYQRWGgDd5OUx> > /var/log/dovecot.log.4.gz:Aug 14 00:49:21 imap-login: Info: Disconnected > (auth failed, 1 attempts in 6 secs): user=<radioculture>, method=PLAIN, > rip=221.228.229.49, lip=10.10.10.19, TLS, session=<J3mfMatWdADd5OUx> > root@messagerie[10.10.10.19] ~ # > > > This is 6 fails in nearly 2 months, yet the IP was banned by the > dovecot-long jail : > > root@messagerie[10.10.10.19] ~ # zgrep 221.228.229.49 > /var/log/fail2ban.log.* > /var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]: > WARNING [dovecot-long] Ban 221.228.229.49 > root@messagerie[10.10.10.19] ~ # > > > > Anyone knows how can I troubleshoot this ? > > -- Yassine. > > > > > > Complete jail.local > ------------------- > > oot@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local > [DEFAULT] > action = shorewall > ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16 > > # ychaouche > # le default est à 10 minutes, > # je l'ai mis à 1 journée. > bantime = 86400 > > [postfix-sasl] > enabled = true > port = all > filter = postfix-sasl > #action = shorewall > logpath = /var/log/mail.warn > maxretry = 3 > findtime = 600 > > [postfix] > enabled = true > port = all > filter = postfix > logpath = /var/log/mail.log > > [dovecot] > enabled = true > port = all > filter = dovecot > logpath = /var/log/dovecot.log > > [dovecot-long] > findtime = 86400 > maxretries = 10 > # 5 days > bantime = 432000 > enabled = true > port = all > filter = dovecot > logpath = /var/log/dovecot.log > > [ssh] > port = all > root@messagerie[10.10.10.19] ~ # > > > > My defaults from jail.conf > --------------------------- > > > [DEFAULT] > ignoreip = 127.0.0.1/8 > ignorecommand = > bantime = 600 > findtime = 600 > maxretry = 3 > > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > |
From: chaouche y. <yac...@ya...> - 2017-09-03 10:07:51
|
Thanks Tony for your answer and sorry for late reply. My original message contained a zgrep command on fail2ban logs with only one entry. Now it has two entries (the ban and the unban) : root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 221.228.229.49 /var/log/fail2ban.log* /var/log/fail2ban.log:2017-08-31 01:49:50,512 fail2ban.actions[10631]: WARNING [dovecot-long] Unban 221.228.229.49 /var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 221.228.229.49 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # So dovecot-long is the jail that was activated. > Often, when this has happened to me it's related to rotating of log files Indeed, I remember I didn't have a logrotate rule for dovecot.log. It got to 200Mb+. I then created a rule for it and rotated it while fail2ban was running (I guess), which could have caused this behaviour. It didn't happen again so I think this is what could have caused it. > But you've only got "dovecot.log" as your logpath in your jail conf, Yes, it gets copied to dovecot.log.1 and the original is truncated. Maybe this is why fail2ban acts strangely. Yassine. |
From: Tony C. <to...@ev...> - 2017-09-04 08:34:08
|
Hi - ah, I think Fail2Ban isn't logging enough information. You need a bit more information to help work this out. Right now, f2b is logging "actions", but we also need it to log a bit more - so we can sort through the issue of which specific log entries it is "finding". You can check by running *fail2ban-client get loglevel* - I suspect it will come back as "Current logging level is 'WARN'". This is the sort of log file we need: 2017-09-04 07:50:33,473 fail2ban.filter [2469]: INFO [sshd] Found 1.2.3.4 - 2017-09-04 07:50:35 2017-09-04 07:50:49,312 fail2ban.filter [2469]: INFO [sshd] Found 1.2.3.4 - 2017-09-04 07:50:52 2017-09-04 07:50:54,180 fail2ban.filter [2469]: INFO [sshd] Found 1.2.3.4 - 2017-09-04 07:50:57 2017-09-04 07:51:35,674 fail2ban.filter [2469]: INFO [sshd] Found 1.2.3.4 - 2017-09-04 07:51:38 2017-09-04 07:51:39,536 fail2ban.filter [2469]: INFO [sshd] Found 1.2.3.4 - 2017-09-04 07:51:41 2017-09-04 07:51:40,023 fail2ban.actions [2469]: NOTICE [sshd] Ban 1.2.3.4 That is from my fail2ban.log - it is showing me the exact time and date of each log entry that it's found. On the right, the date and time is the actual date and time of the log entries /var/log/secure. This is useful because it shows us exactly what f2b is seeing - it shows us what is leading up to the bans you're talking about. For your dovecot-long jail, you would expect to see at least 10 'found' entries in fail2ban.log for the IP that gets banned. Remember, we are not talking about the actual dovecot log file, we are talking about what fail2ban thinks it is seeing in the log file. We need to know what is making fail2ban make the decision to ban the IP address. What I think will help is for you to run this command: *fail2ban-client set loglevel info* This will make f2b log the sort of detail I showed above. It won't help right now, but what you can do is wait til you see an IP address being banned when it shouldn't be. Then, grep for that IP address and you should see more helpful information. Once you have that information, send it to the group and we will hopefully be able to help you more. It looks like your configuration is good - you obviously know what you're doing, so I do think it is related to how the log files are monitored/backed up/rotated/saved. Once you've increased the logging level, hopefully we will have a much clearer picture of what's happening. I'm not sure if I'm sending this to the right address - I got two copies of your reply, so I hope I'm sending it to the right list! Tony Collins On 3 September 2017 at 11:07, chaouche yacine <yac...@ya...> wrote: > Thanks Tony for your answer and sorry for late reply. > > My original message contained a zgrep command on fail2ban logs with only > one entry. Now it has two entries (the ban and the unban) : > > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 221.228.229.49 > /var/log/fail2ban.log* > /var/log/fail2ban.log:2017-08-31 01:49:50,512 fail2ban.actions[10631]: > WARNING [dovecot-long] Unban 221.228.229.49 > /var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]: > WARNING [dovecot-long] Ban 221.228.229.49 > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # > > So dovecot-long is the jail that was activated. > > > > Often, when this has happened to me it's related to rotating of log > files > > Indeed, I remember I didn't have a logrotate rule for dovecot.log. It got > to 200Mb+. I then created a rule for it and rotated it while fail2ban was > running (I guess), which could have caused this behaviour. It didn't happen > again so I think this is what could have caused it. > > > But you've only got "dovecot.log" as your logpath in your jail conf, > > Yes, it gets copied to dovecot.log.1 and the original is truncated. Maybe > this is why fail2ban acts strangely. > > Yassine. > > > |
From: chaouche y. <yac...@ya...> - 2017-09-04 09:13:52
|
On Monday, September 4, 2017 9:34 AM, Tony Collins <to...@ev...> wrote: > Hi - ah, I think Fail2Ban isn't logging enough information [...] > You can check by running fail2ban-client get loglevel[...] root@messagerie[10.10.10.19] ~ # fail2ban-client get loglevel Current logging level is INFO root@messagerie[10.10.10.19] ~ # zgrep -i found /var/log/fail2ban.log* root@messagerie[10.10.10.19] ~ # Let's see if the setting is overriden somewhere ? root@messagerie[10.10.10.19] ~ # grep loglevel -r /etc/fail2ban/ /etc/fail2ban/fail2ban.conf:# loglevel = 4 /etc/fail2ban/fail2ban.conf:# Option: loglevel /etc/fail2ban/fail2ban.conf:# loglevel = 3 changé à 4 /etc/fail2ban/fail2ban.conf:# loglevel remis à 4. /etc/fail2ban/fail2ban.conf:loglevel = 3 /etc/fail2ban/filter.d/freeswitch.conf:# -- this requires a high enough loglevel on your logs to save these messages. /etc/fail2ban/jail.conf:# Make sure that your loglevel specified in fail2ban.conf/.local /etc/fail2ban/fail2ban.conf~:# loglevel = 4 /etc/fail2ban/fail2ban.conf~:# Option: loglevel /etc/fail2ban/fail2ban.conf~:# loglevel = 3 changé à 4 /etc/fail2ban/fail2ban.conf~:loglevel = 4 /etc/fail2ban/jail.conf~:# Make sure that your loglevel specified in fail2ban.conf/.local root@messagerie[10.10.10.19] ~ # There's only one entry that isn't commented, and that's loglevel = 3. Besides, changing the loglevel in jail.local seems to get ignored. Maybe the version of f2b I'm using is too old ? root@messagerie[10.10.10.19] ~ # fail2ban-client --version Fail2Ban v0.8.13 [...] root@messagerie[10.10.10.19] ~ # In any case, I decided to increment the loglevel to 4 and see if that helps, but I don't think this was a good idea : 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG Matched time template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG Matched time template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG Matched time template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG Matched time template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got time using template MONTH Day Hour:Minute:Second 2017-09-04 10:06:54,891 fail2ban.filter.datedetector[10631]: DEBUG Matched time template MONTH Day Hour:Minute:Second Look at the timestamps :) I would need 10 billion terrabytes of disk space to log every milisecond of activity. > I'm not sure if I'm sending this to the right address - I got two copies of your reply[...] I made a reply to all, which sent a mail to your personal addresse plus a copy to the mailing list. Yassine. |
From: Tony C. <to...@ev...> - 2017-09-04 12:00:27
|
Oh yeah definitely reduce the log level back down haha :-) It can be useful sometimes, but yeah it logs a massive amount. Newer versions of f2b have slightly better options - debug and heavydebug, I think. This is a bit puzzling. I'm fairly sure 0.8 used to log "found" lines properly. But that might just be my memory being bad as usual. I actually manually installed 0.10 cos it's quite a bit better, but I'm sure I remember 0.8 doing this. Hmm can I ask you to grep for "INFO" in fail2ban.log, so we can see if it's actually logging f2b's info messages? If there are no "INFO" messages logged, it might be worth looking at your syslog config files, in case there's a fail2ban.info config line sending info stuff to another log file. As an aside, fail2ban logging is buggy even in 0.10. Sometimes it completely stops logging but it tells you it's logging just fine - so I have a cron job that sets logging to syslog then back to file, cos that's the ONLY way to restart logging when it stops. I'm hoping someone can step in and tell both of us whether 0.8 does or doesn't log this detail. I might be completely wrong about f2b somehow finding "duplicate" entries that aren't duplicates, I just know that's what happened to me before. So all this work is about finding out what f2b is "seeing". It might well be that your issue is a true bug in f2b 0.8. I hate to advise people to do this, but are you the sort of person who enjoys playing around with Linux? F2b 0.10 is much better and more stable, with slightly better options (and the DB purging works better - no one ever spotted, but in version 0.8 the DB was never ever purged, because there wasn't actually any code written to do it!) - but depending upon what repos you use to install packages, you might have to manually install it. You clearly know exactly what you're doing, which is the reason I'm mentioning this - it's worth upgrading cos it might simply solve this problem and run better. But because it doesn't seem to be included in any packages, you won't be able to update it automatically. It can cause problems, because you'll have to remove every file, cleanly run the install, then put your config files back and debug them. As well as running a grep for "INFO", you could check the actual live config to see if it did what you expected it to do. I should've mentioned this first - sometimes, odd things happen when it reads the config file but because it's still ok, f2b doesn't tell you: *fail2ban-client -d | grep dovecot-long* This will give you the full failregex, ignoreregex, logpath etc, but it will also give you the full text of your action emails, so you might get a lot of info. Sorry for making you go through all this. It might be a complete waste of time, but I won't be embarrassed if someone comes along and tells you that all you needed to do was change one "." in a file somewhere :-) So, we've got: 1) grep for "INFO" in fail2ban.log (and zgrep for the older ones just to see if things have changed), 2) grep the live config for 'dovecot-long' and 3) if there are no "INFO" lines in fail2ban.log, check syslog/rsyslog conf files just in case there's a line there directing fail2ban.filter/fail2ban.info to /var/log/messages or somewhere else. 4) Actually you could always *grep --exclude-from=/var/log/fail2ban.log fail2**ban.filter /var/log/* *and see if there's any sign of the INFO/fail2ban.filter stuff. Tony Collins On 4 September 2017 at 10:13, chaouche yacine via Fail2ban-users < fai...@li...> wrote: > On Monday, September 4, 2017 9:34 AM, Tony Collins <to...@ev...> > wrote: > > > Hi - ah, I think Fail2Ban isn't logging enough information [...] > > You can check by running fail2ban-client get loglevel[...] > > > root@messagerie[10.10.10.19] ~ # fail2ban-client get loglevel > Current logging level is INFO > root@messagerie[10.10.10.19] ~ # zgrep -i found /var/log/fail2ban.log* > root@messagerie[10.10.10.19] ~ # > > Let's see if the setting is overriden somewhere ? > > root@messagerie[10.10.10.19] ~ # grep loglevel -r /etc/fail2ban/ > /etc/fail2ban/fail2ban.conf:# loglevel = 4 > /etc/fail2ban/fail2ban.conf:# Option: loglevel > /etc/fail2ban/fail2ban.conf:# loglevel = 3 changé à 4 > /etc/fail2ban/fail2ban.conf:# loglevel remis à 4. > /etc/fail2ban/fail2ban.conf:loglevel = 3 > /etc/fail2ban/filter.d/freeswitch.conf:# -- this requires a high enough > loglevel on your logs to save these messages. > /etc/fail2ban/jail.conf:# Make sure that your loglevel specified in > fail2ban.conf/.local > /etc/fail2ban/fail2ban.conf~:# loglevel = 4 > /etc/fail2ban/fail2ban.conf~:# Option: loglevel > /etc/fail2ban/fail2ban.conf~:# loglevel = 3 changé à 4 > /etc/fail2ban/fail2ban.conf~:loglevel = 4 > /etc/fail2ban/jail.conf~:# Make sure that your loglevel specified in > fail2ban.conf/.local > root@messagerie[10.10.10.19] ~ # > > There's only one entry that isn't commented, and that's loglevel = 3. > Besides, changing the loglevel in jail.local seems to get ignored. > > Maybe the version of f2b I'm using is too old ? > > root@messagerie[10.10.10.19] ~ # fail2ban-client --version > Fail2Ban v0.8.13 > [...] > root@messagerie[10.10.10.19] ~ # > > In any case, I decided to increment the loglevel to 4 and see if that > helps, but I don't think this was a good idea : > > 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG > Matched time template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,887 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,888 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG > Matched time template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG > Matched time template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,889 fail2ban.filter.datedetector[10631]: DEBUG > Matched time template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,890 fail2ban.filter.datedetector[10631]: DEBUG Got > time using template MONTH Day Hour:Minute:Second > 2017-09-04 10:06:54,891 fail2ban.filter.datedetector[10631]: DEBUG > Matched time template MONTH Day Hour:Minute:Second > > Look at the timestamps :) I would need 10 billion terrabytes of disk space > to log every milisecond of activity. > > > I'm not sure if I'm sending this to the right address - I got two copies > of your reply[...] > > I made a reply to all, which sent a mail to your personal addresse plus a > copy to the mailing list. > > Yassine. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: chaouche y. <yac...@ya...> - 2017-09-04 14:30:38
|
On Monday, September 4, 2017 1:00 PM, Tony Collins <to...@ev...> wrote: > you could check the actual live config to see if it did what you expected [...] > fail2ban-client -d | grep dovecot-long Bingo ! I put maxretries instead of maxretry and f2b was completely silent about it. I am not sure why f2b developers chose to be silent about unknown configuration options ? root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep dovecot-long WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' ['add', 'dovecot-long', 'auto'] ['set', 'dovecot-long', 'usedns', 'warn'] ['set', 'dovecot-long', 'addlogpath', '/var/log/dovecot.log'] ['set', 'dovecot-long', 'maxretry', 3] [...] After changing it I have the correct value root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep dovecot-long WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' ['add', 'dovecot-long', 'auto'] ['set', 'dovecot-long', 'usedns', 'warn'] ['set', 'dovecot-long', 'addlogpath', '/var/log/dovecot.log'] ['set', 'dovecot-long', 'maxretry', 10] [...] > Sorry for making you go through all this. It might be a complete waste of time, but I won't be embarrassed if someone comes along and tells you that all you needed to do was change one "." in a file somewhere :-) Ba-dum Tisssssss :) > Hmm can I ask you to grep for "INFO" in fail2ban.log, so we can see if it's actually logging f2b's info messages? Yes it does log INFO messages root@messagerie[10.10.10.19] ~ # grep INFO /var/log/fail2ban.log 2017-09-04 09:53:24,230 fail2ban.server [10631]: INFO Stopping all jails 2017-09-04 09:53:25,047 fail2ban.jail [10631]: INFO Jail 'postfix' stopped 2017-09-04 09:53:26,027 fail2ban.jail [10631]: INFO Jail 'postfix-sasl' stopped 2017-09-04 09:53:26,756 fail2ban.jail [10631]: INFO Jail 'dovecot-long' stopped 2017-09-04 09:53:27,625 fail2ban.jail [10631]: INFO Jail 'ssh' stopped 2017-09-04 09:53:28,427 fail2ban.jail [10631]: INFO Jail 'dovecot' stopped > it's worth upgrading cos it might simply solve this problem and run better [...] I'm also considering giving Wazuh or OSSEC a try. I heard it's faster, consumes less ressources and is networked. Thanks a lot for your patience and awesome support ! Yassine. |
From: Tony C. <to...@ev...> - 2017-09-04 21:19:01
|
Oh that is so excellent. I'm actually really thrilled that we were able to work this out, even though we did it backwards. Thanks for being so willing to talk through all the various troubleshooting stuff with me - sometimes it's the fact that we go through "wrong" troubleshooting steps that leads to finding out the right thing to do. I'm gonna look into the other bits of software you mentioned. F2b is pretty heavy on my system. All the best :-) -tony Tony Collins On 4 September 2017 at 15:30, chaouche yacine via Fail2ban-users < fai...@li...> wrote: > On Monday, September 4, 2017 1:00 PM, Tony Collins <to...@ev...> > wrote: > > > you could check the actual live config to see if it did what you > expected [...] > > fail2ban-client -d | grep dovecot-long > > Bingo ! I put maxretries instead of maxretry and f2b was completely silent > about it. I am not sure why f2b developers chose to be silent about unknown > configuration options ? > > root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep dovecot-long > WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' > ['add', 'dovecot-long', 'auto'] > ['set', 'dovecot-long', 'usedns', 'warn'] > ['set', 'dovecot-long', 'addlogpath', '/var/log/dovecot.log'] > ['set', 'dovecot-long', 'maxretry', 3] > [...] > > After changing it I have the correct value > > root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep dovecot-long > WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' > ['add', 'dovecot-long', 'auto'] > ['set', 'dovecot-long', 'usedns', 'warn'] > ['set', 'dovecot-long', 'addlogpath', '/var/log/dovecot.log'] > ['set', 'dovecot-long', 'maxretry', 10] > [...] > > > Sorry for making you go through all this. It might be a complete waste > of time, but I won't be embarrassed if someone comes along and tells you > that all you needed to do was change one "." in a file somewhere :-) > > Ba-dum Tisssssss :) > > > > Hmm can I ask you to grep for "INFO" in fail2ban.log, so we can see if > it's actually logging f2b's info messages? > > Yes it does log INFO messages > > root@messagerie[10.10.10.19] ~ # grep INFO /var/log/fail2ban.log > 2017-09-04 09:53:24,230 fail2ban.server [10631]: INFO Stopping all jails > 2017-09-04 09:53:25,047 fail2ban.jail [10631]: INFO Jail 'postfix' > stopped > 2017-09-04 09:53:26,027 fail2ban.jail [10631]: INFO Jail > 'postfix-sasl' stopped > 2017-09-04 09:53:26,756 fail2ban.jail [10631]: INFO Jail > 'dovecot-long' stopped > 2017-09-04 09:53:27,625 fail2ban.jail [10631]: INFO Jail 'ssh' stopped > 2017-09-04 09:53:28,427 fail2ban.jail [10631]: INFO Jail 'dovecot' > stopped > > > > it's worth upgrading cos it might simply solve this problem and run > better [...] > > I'm also considering giving Wazuh or OSSEC a try. I heard it's faster, > consumes less ressources and is networked. > > Thanks a lot for your patience and awesome support ! > > Yassine. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |