Hi, On Tue, Oct 4, 2016 at 10:55 AM, Orion Poplawski <[email protected]> wrote: > On 10/04/2016 07:53 AM, Alex wrote: >> Hi, >> >> On Mon, Oct 3, 2016 at 11:15 PM, Orion Poplawski <[email protected]> wrote: >>> On 10/02/2016 06:46 PM, Alex wrote: >>>> >>>> Hi, >>>> I'm using fail2ban-0.9.3 on fedora22 and have configured it with >>>> firewalld and ipset. I'm more familiar with iptables, not this new >>>> firewalld layout, so I'm really not sure how to tell if it's working >>>> properly. >>>> >>>> I have a postfix-sasl jail configured as such: >>>> >>>> [postfix-sasl] >>>> #port = smtp,465,submission >>>> port = smtp,587,submission >>>> logpath = %(postfix_log)s >>>> enabled = true >>>> logencoding=utf-8 >>>> >>>> /var/log/fail2ban.log shows these entries: >>>> >>>> fail2ban.filter [19398]: INFO [postfix-sasl] Found 12.234.0.173 >>>> fail2ban.actions [19398]: NOTICE [postfix-sasl] Ban 12.234.0.173 >>>> >>>> ipset list shows me: >>>> >>>> Name: fail2ban-postfix-sasl >>>> Type: hash:ip >>>> Revision: 4 >>>> Header: family inet hashsize 1024 maxelem 65536 timeout 5200 >>>> Size in memory: 1856 >>>> References: 1 >>>> Members: >>>> 12.234.0.173 timeout 4068 >>>> 179.189.205.12 timeout 152 >>>> 184.2.47.206 timeout 390 >>>> 113.69.178.121 timeout 1522 >>>> >>>> Does this say that 12.234.0.173 is indeed currently blocked on port >>>> 589 for the next 4068 seconds? >>>> >>>> firewalld is running, but I don't know how to produce a list of all >>>> IPs that are currently being blocked. "iptables -nL", as I usually >>>> would run, shows there are no entries for any of the chains that are >>>> listed (except for 192.168.122.0/24 as part of virbr0). Does that mean >>>> the rules aren't being added properly by fail2ban? >>> >>> >>> I suspect something isn't setting up the ipset rule properly in the first >>> place. Check /var/log/fail2ban.log around the time of fail2ban startup. >> >> There isn't anything relating to firewalld or ipset, but I suspect >> this is the problem. >> >> Is ipset what actually adds the netfilter rules, instead of iptables these >> days? >> >>> Also, are you sure you're using a firewalld action? What does >>> 'fail2ban-client get postfix-sasl action' show? >> >> Is it even possible to operate fail2ban without firewalld anymore? It >> was my understanding that it requires firewalld. If not, I'd like to >> configure it without, because I don't like the abstraction and lack of >> ability to configure source access easily. >> >> # fail2ban-client get postfix-sasl action >> WARNING 'pidfile' not defined in 'Definition'. Using default one: >> '/var/run/fail2ban/fail2ban.pid' >> ERROR NOK: ('list index out of range',) >> Sorry but the command is invalid > > oops, I guess it's 'fail2ban-client get postfix-sasl actions'
# fail2ban-client get postfix actions WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid' The jail postfix has the following actions: firewallcmd-ipset I'm still unsure why it doesn't create any actual firewall entries, despite no errors in fail2ban.log and entries showing otherwise: 2016-10-04 18:16:20,822 fail2ban.actions [12460]: NOTICE [postfix-sasl] Ban 113.69.178.13 # fail2ban-client status postfix-sasl WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid' Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 154 | `- File list: /var/log/maillog `- Actions |- Currently banned: 3 |- Total banned: 26 `- Banned IP list: 195.24.206.78 183.158.98.195 113.69.178.13 # firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission -m set --match-set fail2ban-postfix src -j REJECT --reject-with icmp-port-unreachable ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission -m set --match-set fail2ban-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable ipv4 filter INPUT 0 -p tcp -m multiport --dports submission,587,smtp -m set --match-set fail2ban-sendmail-auth src -j REJECT --reject-with icmp-port-unreachable iptables also shows no entries for the IPs listed above. Thanks, Alex ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
