Notice the time in the log - at 12:19, an entry for 5.101.40.66 was found
in the log at "09:19". It's banned from 09:19 for 60 minutes, meaning it
was due to be be unbanned at 10:19
But it wasn't discovered until 12:19, which is past 10:19 so it unbans it.
Either the time that it is writing the logs is wrong or the time it's
reading the logs is wrong.
I'm not sure I've explained that very well, but it's related to the
conflict of several hours in your log file
On Mon, 4 Jun 2018 at 12:54, Henri Reinikainen <[email protected]> wrote:
> Hi!
>
> My postfix-sasl jail is ignoring the bantime which is set to 3600
> seconds and unbans the host after two seconds instead ...all other jails
> are working properly.
>
> # fail2ban-client -d | grep postfix-sasl | grep bantime
> ['set', 'postfix-sasl', 'bantime', '3600']
>
> # tail -n 40 /var/log/fail2ban.log | grep postfix-sasl
> 2018-06-04 11:36:33,577 fail2ban.server [5005]: INFO Jail 'postfix-sasl'
> reloaded
> 2018-06-04 11:44:24,026 fail2ban.filter [5005]: INFO [postfix-sasl]
> Found 5.101.40.66 - 2018-06-04 08:44:24
> 2018-06-04 12:01:51,528 fail2ban.filter [5005]: INFO [postfix-sasl]
> Found 5.101.40.66 - 2018-06-04 09:01:51
> 2018-06-04 12:19:12,618 fail2ban.filter [5005]: INFO [postfix-sasl]
> Found 5.101.40.66 - 2018-06-04 09:19:12
> 2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Ban 5.101.40.66
> 2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Unban 5.101.40.66
>
> Why is it that host unbanned as soon as after two seconds?
> Any and all help is appreciated.
>
> # fail2ban-client -V
> Fail2Ban v0.10.2
>
> # cat fail2ban.log | grep postfix-sasl | egrep '(Ban|Unban)'
> 2018-06-04 07:13:29,916 fail2ban.actions [26028]: NOTICE
> [postfix-sasl]Ban 5.101.40.66
> 2018-06-04 07:13:31,934 fail2ban.actions [26028]: NOTICE
> [postfix-sasl]Unban 5.101.40.66
> 2018-06-04 09:23:59,671 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Ban 5.101.40.66
> 2018-06-04 09:24:01,696 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Unban 5.101.40.66
> 2018-06-04 10:51:39,299 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Ban 5.101.40.66
> 2018-06-04 10:51:41,314 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Unban 5.101.40.66
> 2018-06-04 12:19:12,832 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Ban 5.101.40.66
> 2018-06-04 12:19:14,847 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Unban 5.101.40.66
> 2018-06-04 13:46:11,616 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Ban 5.101.40.66
> 2018-06-04 13:46:13,633 fail2ban.actions [5005]: NOTICE [postfix-sasl]
> Unban 5.101.40.66
>
> # fail2ban-client -d | grep postfix-sasl
> ['add', 'postfix-sasl', 'auto']
> ['set', 'postfix-sasl', 'prefregex',
> '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[
> *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID
>
> \\d+ \\S+\\]\\s+)?warning: <F-CONTENT>.+</F-CONTENT>$']
> ['set', 'postfix-sasl', 'addfailregex', '^[^[]*\\[<HOST>\\](?::\\d+)?:
> SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
> Connection lost to authentication server| Invalid authentication
> mechanism)']
> ['set', 'postfix-sasl', 'datepattern', '{^LN-BEG}']
> ['set', 'postfix-sasl', 'addjournalmatch',
> '_SYSTEMD_UNIT=postfix.service']
> ['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.log', 'head']
> ['set', 'postfix-sasl', 'logencoding', 'auto']
> ['set', 'postfix-sasl', 'maxretry', 5]
> ['set', 'postfix-sasl', 'findtime', '604800']
> ['set', 'postfix-sasl', 'bantime', '3600']
> ['set', 'postfix-sasl', 'usedns', 'warn']
> ['set', 'postfix-sasl', 'ignorecommand', '']
> ['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
> ['multi-set', 'postfix-sasl', 'action', 'iptables-multiport',
> [['actionstart', '<iptables> -N f2b-postfix-sasl\n<iptables> -A
> f2b-postfix-sasl -j RETURN\n<iptables> -I INPUT -p tcp -m multiport
> --dports smtp,465,submission,imap,imaps,pop3,pop3s -j
> f2b-postfix-sasl'], ['actionstop', '<iptables> -D INPUT -p tcp -m
> multiport --dports smtp,465,submission,imap,imaps,pop3,pop3s -j
> f2b-postfix-sasl\n<iptables> -F f2b-postfix-sasl\n<iptables> -X
> f2b-postfix-sasl'], ['actionflush', '<iptables> -F f2b-postfix-sasl'],
> ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-postfix-sasl[
> \\t]'"], ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s <ip> -j
> <blocktype>'], ['actionunban', '<iptables> -D f2b-postfix-sasl -s <ip>
> -j <blocktype>'], ['name', 'postfix-sasl'], ['bantime', '3600'],
> ['port', 'smtp,465,submission,imap,imaps,pop3,pop3s'], ['protocol',
> 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'],
> ['blocktype', 'REJECT --reject-with icmp-port-unreachable'],
> ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables
> <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with
> icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables
> <lockingopt>']]]
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
--
-- Tony Collins
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
