Heya,
Recently my fail2ban stopped working for some reason. It's
not adding any ip to the firewall(ipfw)
when i test the regex with the
logfile it gives me the failed attempts.
-----------------------
#
ipfw show
and executing the ipfw correctly i guess so cause everytime i
init it he creates this entry.
00001 0 0 unreach port ip from table(1)
to me
I ALSO CHECKED THE REGEX AGAINST MY MAILLOG
fail2ban-regex
/var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-sasl.conf
RUNNING TESTS
Use failregex file :
/usr/local/etc/fail2ban/filter.d/postfix-sasl.conf
Use log file :
/var/log/maillog
Use encoding : US-ASCII
RESULTS
Failregex: 178
total
|- #) [# of hits] regular expression
| 1) [178]
^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ _d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_warning: [-._w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed(: [ A-Za-z0-9+/]_={0,2})?s_$
`-
Ignoreregex: 0
total
Date template hits:
|- [# of hits] date format
| 186018?MON Day
24hour:Minute:Second(?:.Microseconds)?(?: Year)?
`-
Lines: 186018
lines, 0 ignored, 178 matched, 185840 missed [processed in 22.96
sec]
Missed line(s): too many to print. Use --print-all-missed to print
all 185840 lines
-------------------------
FAIL2BAN-CLIENT -D
['set',
'logtarget', '/var/log/fail2ban.log']
['set', 'loglevel',
'INFO']
['set', 'dbpurgeage', 86400]
['set', 'dbfile',
'/var/db/fail2ban/fail2ban.sqlite3']
['add', 'sasl-auth-failures',
'auto']
['set', 'sasl-auth-failures', 'usedns', 'warn']
['set',
'sasl-auth-failures', 'addlogpath', '/var/log/maillog', 'head']
['set',
'sasl-auth-failures', 'maxretry', 5]
['set', 'sasl-auth-failures',
'addignoreip', '127.0.0.1/8']
['set', 'sasl-auth-failures',
'logencoding', 'utf-8']
['set', 'sasl-auth-failures', 'bantime',
3600]
['set', 'sasl-auth-failures', 'ignorecommand', '']
['set',
'sasl-auth-failures', 'findtime', 600]
['set', 'sasl-auth-failures',
'addfailregex', '^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ _d+.d+]
)?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_warning: [-._w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed(: [ A-Za-z0-9+/]={0,2})?s_$']
['set',
'sasl-auth-failures', 'addjournalmatch',
'_SYSTEMD_UNIT=postfix.service']
['set', 'sasl-auth-failures',
'addaction', 'bsd-ipfw']
['set', 'sasl-auth-failures', 'action',
'bsd-ipfw', 'actionban', 'ipfw table
add ']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f ] || (
read num < ""
ipfw -q delete $num
rm "" )']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show |
fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b)
{ b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }';
num=$?; ipfw -q add $num from table() to me ; echo $num > "" )']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionunban', 'ipfw
tabledelete ']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'actioncheck', '']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'table', '1']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'blocktype', 'unreach port']
['set', 'sasl-auth-failures', 'action',
'bsd-ipfw', 'startstatefile',
'/var/run/fail2ban/ipfw-started-table_']
['set', 'sasl-auth-failures',
'action', 'bsd-ipfw', 'port', '']
['set', 'sasl-auth-failures',
'action', 'bsd-ipfw', 'block', 'ip']
['add', 'postfix-rejected',
'auto']
['set', 'postfix-rejected', 'usedns', 'warn']
['set',
'postfix-rejected', 'addlogpath', '/var/log/maillog', 'head']
['set',
'postfix-rejected', 'maxretry', 8]
['set', 'postfix-rejected',
'addignoreip', '127.0.0.1/8']
['set', 'postfix-rejected', 'logencoding',
'utf-8']
['set', 'postfix-rejected', 'bantime', 3600]
['set',
'postfix-rejected', 'ignorecommand', '']
['set', 'postfix-rejected',
'findtime', 600]
['set', 'postfix-rejected', 'addfailregex',
'^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ *d+.d+] )?(?:@vserverS+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: RCPT from S+[]: 554 5.7.1 ._$']
['set',
'postfix-rejected', 'addfailregex', '^s_(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ _d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: RCPT from S+[]: 450 4.7.1 : Helo command
rejected: Host not found; from=<> to=<> proto=ESMTP helo= $']
['set',
'postfix-rejected', 'addfailregex', '^s(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ *d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: VRFY from S+[]: 550 5.1.1 .$']
['set',
'postfix-rejected', 'addfailregex', '^s(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ *d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_improper command pipelining after S+ from
[^[]*[]:?$']
['set', 'postfix-rejected', 'addjournalmatch',
'_SYSTEMD_UNIT=postfix.service']
['set', 'postfix-rejected',
'addaction', 'bsd-ipfw']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionban', 'ipfw tableadd ']
['set', 'postfix-rejected',
'action', 'bsd-ipfw', 'actionstop', '[ ! -f ] || ( read num < ""
ipfw
-q delete $num
rm "" )']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionstart', 'ipfw show | fgrep -q 'table()' || ( ipfw
show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b }
} END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from
table() to me ; echo $num > "" )']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionunban', 'ipfw tabledelete ']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'actioncheck', '']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'table', '1']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'blocktype', 'unreach
port']
['set', 'postfix-rejected', 'action', 'bsd-ipfw',
'startstatefile', '/var/run/fail2ban/ipfw-started-table_']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'port', '']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'block', 'ip']
['start',
'sasl-auth-failures']
['start', 'postfix-rejected']
Any help will be
appreciated ,
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
