Package: fail2ban Version: 0.11.2-2 Severity: important
Hacker tries to guess user password on SMTP -- Exim4. Then fail2ban stops blocking him, because it thinks there are "Too many errors". This is not the case -- there are errors, because hackers are attacking. I restart fail2ban manually and then runs ok for some time. [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 22:00:48 [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 22:51:58 [396837]: WARNING Too many errors. Remove file '/var/log/exim4/mainlog' from monitoring process 2022-10-23 20:14:34,936 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:14:34 2022-10-23 20:14:34,936 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:14:34 2022-10-23 20:19:51,920 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:19:51 2022-10-23 20:19:51,921 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:19:51 2022-10-23 20:19:52,522 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:19:52 2022-10-23 20:19:52,523 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 20:19:52 2022-10-23 20:19:52,630 fail2ban.actions [396837]: NOTICE [exim] Ban 12.34.56.78 2022-10-23 22:00:49,402 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 22:00:48 2022-10-23 22:51:59,154 fail2ban.filter [396837]: INFO [exim] Found 12.34.56.78 - 2022-10-23 22:51:58 2022-10-24 00:04:37,706 fail2ban.filterpoll [396837]: WARNING Too many errors. Remove file '/var/log/exim4/mainlog' from monitoring process 2022-10-24 00:05:40,167 fail2ban.filterpoll [396837]: WARNING Too many errors. Remove file '/var/log/exim4/rejectlog' from monitoring process 2022-10-24 00:07:27,472 fail2ban.filterpoll [396837]: WARNING Too many errors. Remove file '/var/log/exim4/rejectlog' from monitoring process 2022-10-24 00:18:02,171 fail2ban.filter [396837]: INFO Removed logfile: '/var/log/exim4/rejectlog' 2022-10-24 00:18:02,171 fail2ban.filter [396837]: INFO Removed logfile: '/var/log/exim4/mainlog' 2022-10-24 00:18:02,214 fail2ban.actions [396837]: NOTICE [exim] Flush ticket(s) with iptables-multiport 2022-10-24 00:18:02,302 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 2022-10-24 00:18:02,302 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 2022-10-24 00:18:02,302 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 2022-10-24 00:18:02,303 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 2022-10-24 00:18:02,303 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 2022-10-24 00:18:02,304 fail2ban.actions [396837]: NOTICE [exim] Unban 12.34.56.78 # cat /etc/fail2ban/jail.local | grep -v '^#' | head -n10 [DEFAULT] findtime = 3days maxretry = 7 bantime = 36hours -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-19-amd64 (SMP w/8 CPU threads) Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages fail2ban depends on: ii lsb-base 11.1.0 ii python3 3.9.2-3 Versions of packages fail2ban recommends: ii iptables 1.8.7-1 pn python3-pyinotify <none> pn python3-systemd <none> pn whois <none> Versions of packages fail2ban suggests: ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-2 pn monit <none> ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1 pn sqlite3 <none> -- Configuration Files: /etc/logrotate.d/fail2ban changed [not included] -- no debconf information
