Package: fail2ban
Version: 0.8.6-3wheezy2
Severity: normal
Hello,
I've configured a "sasl" jail to catch annoying ppl who abuse of SMTP auth. It
uses the sasl filter provided with the package.
However, it doesn't seem to be matching anything.. I tested the regexp from the
jail on the configured log file (syslog) and it says that it's matching 3k+
entries, so it should be working fine.
I tried lowering maxretry to make it catch IPs faster, but it didn't help.
Also, weirdly at some point I made a manual change to jail.local (bumped
maxretry down from 7 to 5 for the sasl jail), then restarted the service, and I
saw it match hosts and ban them. But if I try this experience again, I don't
get any results anymore.
So I'm at a loss, I don't really know how to debug what's happening.
Here are the config files that don't contain the same thing as what the package
installs. (replaced last 2 parts of ignored IPs)
/etc/fail2ban/jail.conf:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <deb...@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 199.58.xx.yy 199.58.xx.yy 216.46.xx.yy
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s",
logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl,
etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
/etc/fail2ban/jail.local:
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[dovecot]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
maxretry = 7
findtime = 120
ignoreip = 127.0.0.1 199.58.xx.yy 216.46.xx.yy 199.58.xx.yy
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 7
ignoreip = 127.0.0.1 199.58.xx.yy 216.46.xx.yy 199.58.xx.yy
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/syslog
maxretry = 5
ignoreip = 127.0.0.1 199.58.xx.yy 216.46.xx.yy 199.58.xx.yy
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
ignoreip = 127.0.0.1 199.58.xx.yy 216.46.xx.yy 199.58.xx.yy
-- System Information:
Debian Release: 7.5
APT prefers stable
APT policy: (500, 'stable'), (500, 'oldstable')
Architecture: i386 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii lsb-base 4.1+Debian8+deb7u1
ii python 2.7.3-4+deb7u1
ii python-central 0.6.17
Versions of packages fail2ban recommends:
ii iptables 1.4.14-3.1
pn python-gamin <none>
ii whois 5.1.1~deb7u1
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20111106cvs-1
ii mailx 1:20071201-3
-- Configuration Files:
/etc/fail2ban/jail.conf changed [not included]
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
