Hi,
On Mon, Oct 3, 2016 at 11:15 PM, Orion Poplawski <[email protected]> wrote:
> On 10/02/2016 06:46 PM, Alex wrote:
>>
>> Hi,
>> I'm using fail2ban-0.9.3 on fedora22 and have configured it with
>> firewalld and ipset. I'm more familiar with iptables, not this new
>> firewalld layout, so I'm really not sure how to tell if it's working
>> properly.
>>
>> I have a postfix-sasl jail configured as such:
>>
>> [postfix-sasl]
>> #port = smtp,465,submission
>> port = smtp,587,submission
>> logpath = %(postfix_log)s
>> enabled = true
>> logencoding=utf-8
>>
>> /var/log/fail2ban.log shows these entries:
>>
>> fail2ban.filter [19398]: INFO [postfix-sasl] Found 12.234.0.173
>> fail2ban.actions [19398]: NOTICE [postfix-sasl] Ban 12.234.0.173
>>
>> ipset list shows me:
>>
>> Name: fail2ban-postfix-sasl
>> Type: hash:ip
>> Revision: 4
>> Header: family inet hashsize 1024 maxelem 65536 timeout 5200
>> Size in memory: 1856
>> References: 1
>> Members:
>> 12.234.0.173 timeout 4068
>> 179.189.205.12 timeout 152
>> 184.2.47.206 timeout 390
>> 113.69.178.121 timeout 1522
>>
>> Does this say that 12.234.0.173 is indeed currently blocked on port
>> 589 for the next 4068 seconds?
>>
>> firewalld is running, but I don't know how to produce a list of all
>> IPs that are currently being blocked. "iptables -nL", as I usually
>> would run, shows there are no entries for any of the chains that are
>> listed (except for 192.168.122.0/24 as part of virbr0). Does that mean
>> the rules aren't being added properly by fail2ban?
>
>
> I suspect something isn't setting up the ipset rule properly in the first
> place. Check /var/log/fail2ban.log around the time of fail2ban startup.
There isn't anything relating to firewalld or ipset, but I suspect
this is the problem.
Is ipset what actually adds the netfilter rules, instead of iptables these days?
> Also, are you sure you're using a firewalld action? What does
> 'fail2ban-client get postfix-sasl action' show?
Is it even possible to operate fail2ban without firewalld anymore? It
was my understanding that it requires firewalld. If not, I'd like to
configure it without, because I don't like the abstraction and lack of
ability to configure source access easily.
# fail2ban-client get postfix-sasl action
WARNING 'pidfile' not defined in 'Definition'. Using default one:
'/var/run/fail2ban/fail2ban.pid'
ERROR NOK: ('list index out of range',)
Sorry but the command is invalid
# ls -l /var/run/fail2ban/fail2ban.pid
-rw------- 1 root root 6 Oct 4 09:42 /var/run/fail2ban/fail2ban.pid
# cat /etc/fail2ban/jail.d/00-firewalld.conf |grep -v ^#
[DEFAULT]
banaction = firewallcmd-ipset
# rpm -qva|egrep 'ipset|firewall|fail2ban'
ipset-6.27-1.fc22.x86_64
firewalld-filesystem-0.3.14.2-4.fc22.noarch
fail2ban-firewalld-0.9.3-1.fc22.noarch
fail2ban-0.9.3-1.fc22.noarch
python-firewall-0.3.14.2-4.fc22.noarch
firewalld-0.3.14.2-4.fc22.noarch
fail2ban-server-0.9.3-1.fc22.noarch
fail2ban-sendmail-0.9.3-1.fc22.noarch
ipset-libs-6.27-1.fc22.x86_64
> Finally, Fedora 22 is EOL and you really should upgrade.
Yes, we're hoping to do that soon.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
