Menu
▾
▴
[Fail2ban-users] fail2ban not rescanning logs & readding hits on f2b restart. what config did I miss here?
|
From: <rog...@pr...> - 2015-01-19 20:35:52
|
I'm setting up a fail2ban jail for my Zimbra mail server I have cat /etc/fail2ban/jail.local ... [zimbra-recipient] enabled = true filter = zimbra action = iptables-ipset-proto6-allports[name=zimbra-recipient] sendmail[name=zimbra-recipient, des...@MY...] logpath = /var/log/zimbra.log loglevel = 2 findtime = 604800 bantime = 604800 maxretry = 3 ... When I test it it looks like it works ok fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/zimbra.conf Use log file : /var/log/zimbra.log Results ======= Failregex: 153 total |- #) [# of hits] regular expression | 8) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:.*$ | 9) [17] NOQUEUE: reject: RCPT from .*\[<HOST>\]: 450 4.1.8 .*: Sender address rejected: Domain not found;.*$ | 12) [119] NOQUEUE: reject: RCPT from .*\[<HOST>\]: .*TLD not accepted.*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [21334] MONTH Day Hour:Minute:Second `- Lines: 21334 lines, 0 ignored, 153 matched, 21181 missed Missed line(s):: too many to print. Use --print-all-missed to print all 21181 lines And I get the results added in the ipset ipset -L fail2ban-zimbra-recipient Name: fail2ban-zimbra-recipient Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 timeout 600 Size in memory: 17944 References: 1 Members: 104.140.56.134 timeout 371 104.140.56.136 timeout 372 104.140.56.132 timeout 371 104.140.56.119 timeout 374 104.140.56.142 timeout 375 107.158.235.5 timeout 373 104.194.243.124 timeout 372 107.158.247.150 timeout 372 104.140.56.117 timeout 374 107.158.235.6 timeout 374 104.140.56.115 timeout 374 95.211.141.219 timeout 374 104.194.243.123 timeout 373 104.140.56.130 timeout 371 107.158.235.4 timeout 373 88.198.107.34 timeout 375 107.158.247.148 timeout 376 104.194.243.126 timeout 373 But if I just restart fail2ban It wipes all those out, and doesn't rescan them service fail2ban restart * Restarting authentication failure monitor fail2ban WARNING 'actioncheck' not defined in 'Definition'. Using default one: '' ...done. ipset -L fail2ban-zimbra-recipient Name: fail2ban-zimbra-recipient Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 timeout 600 Size in memory: 16504 References: 1 Members: If I redo the fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra.conf the addresses all get re-added to the ipset -- until the next fail2ban restart. I thought on restart fail2ban was supposed to rescan the logs it uses, and readd results. Did I misconfigured something? I'm not really sure what to look for the problem even -- I thought I followed the docs. I'd appreciate a suggestion! Roger |
