From: Davide P. <per...@dp...> - 2013-10-08 12:19:45
|
It could be but the problem is that fail2ban bans the roundcube users correctly but not the squirrelmail one. And this is strange. Thanks for the answer. Best Regards, Davide Il 07/10/2013 23:42, Daniel Black ha scritto: > On 07/10/13 19:44, Davide Perini wrote: >> Hi, >> I am using fail2ban with SSLH, a multiplexer that listen on port 443 for >> SSH and HTTPS connection and redirects connections to the correct port. >> >> fail2ban works ok but I have this worning with the squirrelmail rules. >> <28>fail2ban.filter : WARNING Unable to find a corresponding IP address >> for ::1 >> >> the strange things is that the IP address in the log that fail2ban is >> analyzing is written correctly, I find the real IP of the person who is >> connecting and not ::1... >> >> Any idea? >> > Could it be the case that some connections are going to squirrelmail > directly and others are going through SSLH? > > What lines does ::1 appear at in the log? > > > > >> fail2ban works with all rules now but not with the squirrelmail one: >> squirrelmail.conf >> *Code:* >> [Definition] >> >> failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect >> ignoreregex = >> >> >> jail.conf >> *Code:* >> [squirrelmail-iptables] >> enabled = true >> filter = squirrelmail >> action = iptables-multiport[name=squirrelmail, port="http,https,socks"] >> action = iptables-multiport[name=squirrelmail, port="http,https,socks"] >> sendmail-whois[name=SquirrelMail, dest=myemail, sender=myemail] >> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log >> >> >> the /var/lib/squirrelmail/prefs/squirrelmail_access_log >> *Code:* >> 10/06/2013 15:50:41 [LOGIN_ERROR] dadas (mydomain.org) from >> 151.64.44.xx: Unknown user or password incorrect. > Does this log line definitely end in a '.' > > I'd like to make squirrelmail a default filter based off this. > > > > >> >> the command: >> fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log >> /etc/fail2ban/filter.d/squirrelmail.conf >> *Code:* >> Running tests >> ============= >> >> Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf >> Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log >> >> Matched time template Day/Month/Year Hour:Minute:Second >> Got time using template Day/Month/Year Hour:Minute:Second >> Matched time template Day/Month/Year Hour:Minute:Second >> Got time using template Day/Month/Year Hour:Minute:Second >> Matched time template Day/Month/Year Hour:Minute:Second >> Got time using template Day/Month/Year Hour:Minute:Second >> Matched time template Day/Month/Year Hour:Minute:Second >> Got time using template Day/Month/Year Hour:Minute:Second >> Matched time template Day/Month/Year Hour:Minute:Second >> Got time using template Day/Month/Year Hour:Minute:Second >> >> Results >> ======= >> >> Failregex: 5 total >> |- #) [# of hits] regular expression >> | 1) [5] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect >> `- >> >> Ignoreregex: 0 total >> >> Summary >> ======= >> >> Addresses found: >> [1] >> 151.64.44.xx (Mon Jun 10 15:49:43 2013) >> 151.64.44.xx (Mon Jun 10 15:50:14 2013) >> 151.64.44.xx (Mon Jun 10 15:50:26 2013) >> 151.64.44.xx (Mon Jun 10 15:50:41 2013) >> 151.64.44.xx (Mon Jun 10 16:05:23 2013) >> >> Date template hits: >> 10 hit(s): Day/Month/Year Hour:Minute:Second >> >> Success, the total number of match is 5 >> >> However, look at the above section 'Running tests' which could contain >> important >> information. >> >> >> Any idea on why I get that warning and why it not ban the squirrelmail >> errors? > > Does it definitely not ban? What does the fail2ban log say? > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |