The “action_” entry in jail.conf file heavily relies on “banaction” value:
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime=“%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
As an example nginx with banaction iptables-multiport
/etc/fail2ban/jail.conf:
# default banaction value
banaction = iptables
# Specify chain where jumps would need to be added in iptables-* actions
chain = FORWARD
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
#NGINX section
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx.log
#section overrided banaction
banaction = iptables-multiport
/etc/fail2ban/filter.d/nginx-http-auth.conf
[Definition]
failregex = \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not
found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP\/\d+\.\d+",
host: "\S+"\s*
/etc/fail2ban/action.d/iptables-multiport.conf
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j
fail2ban-<name>
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j
fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT
To my understanding the logic is:
fail2ban monitors /var/log/nginx.log file with failregex.
if it matches, then
the IP is somehow extracted from logs (suspect that <HOST> has something to do
with that)
banaction is set to iptables-multiport
action_ turns to banaction module
(/etc/fail2ban/action.d/iptables-multiport.conf) with the following variables:
<ip> x.x.x.x
<port> http, https / 80,443
<protocol> tcp
<chain> FORWARD
<name> nginx-http-auth (section name)
module bans the IP (actionban)
In blockip_custom.conf you basically should have commands that must be run if
fail2ban notices something suspicious with some additional, extracted by regex
and some data from service jail.conf section
If I understand correctly, the “exim” jail is not working as it should.
So jail config is :
[exim]
enabled = true
filter = exim
port = smtp,465,submission
bantime = 86400
findtime = 600
maxretry = 5
#banaction = blockip-custom
#action = %(action_)s
action = blockip-custom
logpath = /var/log/maillog
backend = auto
#journalmatch =
If you define directly “action” being a “blockip_custom” (which is defined in
/etc/fail2ban/action.d as blockip_custom.conf) then it will just turn to it
without any additional parameters (as in port, protocol, chain, bantime etc)
But in order to block an IP you need some input values.
——————
Bregs, Roman
> On 17 Jan 2018, at 16:46, Emanuel Gonzalez <[email protected]>
> wrote:
>
> Yes, the file blockip-custom.conf exists in /etc/fail2ban/action.d but not
> block IPs
>
> example:
>
> Jan 17 11:38:54 linux.backend exim[14840]: 2018-01-17 11:38:52 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:55 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:55 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:56 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:56 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
> Jan 17 11:38:59 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login
> authenticator failed for (User) [190.98.45.180]: 535 Incorrect authentication
> data ([email protected])
>
> In the file maillog-custom.conf
>
> failregex = \[<HOST>\]:\d+: 535 Incorrect authentication data
> [rsyslog-maillog]
> enabled = true
> filter = maillog-custom
> bantime = 86400
> findtime = 600
> maxretry = 5
> port = smtp,465,submission,imap3,imaps,pop3,pop3s
> # tail iniciar al final del log
> # para que no arranque a procesarlo desde el principio o desde donde se quedo
> logpath = /var/log/maillog
>
> any ideas?
>
> Regards,
>
>
>
>
>
> De: Roman Pikalo <[email protected]>
> Enviado: miércoles, 17 de enero de 2018 9:04:49
> Para: Emanuel Gonzalez
> Cc: [email protected]
> Asunto: Re: [Fail2ban-users] Enable multiple jails
>
> Do you have blockip-custom banaction defined in /etc/fail2ban/jail.conf /file
> ?
>
> Bregs, Roman
>
> Emanuel Gonzalez <[email protected]
> <mailto:[email protected]>>:
>
>> Helo, I have read all the documentation but I can not solve my problem.
>>
>> I create the file jail-custom.conf /etc/fail2ban/jail.d with this config:
>>
>> [rsyslog-maillog]
>> enabled = true
>> filter = maillog-custom
>> bantime = 86400
>> findtime = 600
>> maxretry = 5
>> #port = smtp,465,submission,imap3,imaps,pop3,pop3s
>> port = imap3,imaps,pop3,pop3s
>> # tail iniciar al final del log
>> # para que no arranque a procesarlo desde el principio o desde donde se quedo
>> logpath = /var/log/maillog tail
>>
>>
>> [exim]
>> enabled = true
>> filter = exim
>> port = smtp,465,submission
>> bantime = 86400
>> findtime = 600
>> maxretry = 5
>> #banaction = blockip-custom
>> #action = %(action_)s
>> action = blockip-custom
>> logpath = /var/log/maillog
>> backend = auto
>> #journalmatch =
>>
>>
>> The jail "rsyslog-maillog is work, but the exim jail not.
>>
>> tail -f /var/log/fail2ban.log
>> 2018-01-16 15:20:58,599 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 111.75.167.157
>> 2018-01-16 15:21:05,610 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 111.89.179.159
>> 2018-01-16 15:21:06,830 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.112.193.39
>> 2018-01-16 15:21:13,871 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.112.25.39
>> 2018-01-16 15:21:14,643 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.241.17
>> 2018-01-16 15:21:15,435 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.60.146
>> 2018-01-16 15:21:17,246 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.60.247
>> 2018-01-16 15:21:24,439 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.60.38
>> 2018-01-16 15:21:25,222 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.61.121
>> 2018-01-16 15:21:26,009 fail2ban.actions [13905]: NOTICE
>> [rsyslog-maillog] Ban 112.113.61.183
>>
>> any ideas? regards
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>> http://sdm.link/slashdot
>> <http://sdm.link/slashdot>_______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
