Re: [Fail2ban-users] If an IP is "already banned, " why was it found?

Sun, 26 Aug 2018 15:45:02 -0700 

On 08/25/2018 12:09 PM, Tony Collins wrote:

> Could you perhaps run this command and paste in the output:
> 
> grep 200.29.108.214 /usr/local/bin/assp2/logs/maillog.txt
> 
> This will search your mail log just for the entries from that specific
> IP address, so we can see what it's doing to you.
> 
$ grep 200.29.108.214 2018-08-24.maillog.txt
2018-08-24_03:58:54 [Worker_1] Connected: session:7F9012DE59F8
200.29.108.214:45121 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_03:58:54 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_03:58:57 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_03:58:57 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_03:58:57 [Worker_1] 200.29.108.214 disconnected:
session:7F9012DE59F8 200.29.108.214 - processing time 3 seconds
2018-08-24_04:10:39 [Worker_1] Connected: session:7F901300AB10
200.29.108.214:13922 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_04:10:40 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_04:10:42 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_04:10:42 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_04:10:42 [Worker_1] 200.29.108.214 disconnected:
session:7F901300AB10 200.29.108.214 - processing time 3 seconds
2018-08-24_05:16:16 [Worker_1] Connected: session:7F90125823E0
200.29.108.214:17473 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_05:16:17 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_05:16:19 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_05:16:19 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_05:16:20 [Worker_1] 200.29.108.214 disconnected:
session:7F90125823E0 200.29.108.214 - processing time 4 seconds
2018-08-24_07:28:15 [Worker_1] Connected: session:7F9011902CC0
200.29.108.214:4577 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_07:28:15 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_07:28:18 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_07:28:18 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_07:28:18 [Worker_1] 200.29.108.214 disconnected:
session:7F9011902CC0 200.29.108.214 - processing time 3 seconds
2018-08-24_09:29:22 [Worker_1] Connected: session:7F901146C2F0
200.29.108.214:12673 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_09:29:22 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_09:29:25 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_09:29:25 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_09:29:25 [Worker_1] 200.29.108.214 disconnected:
session:7F901146C2F0 200.29.108.214 - processing time 3 seconds
2018-08-24_11:08:28 [Worker_1] Connected: session:7F90112BD400
200.29.108.214:2306 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_11:08:28 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_11:08:30 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_11:08:30 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_11:08:31 [Worker_1] 200.29.108.214 disconnected:
session:7F90112BD400 200.29.108.214 - processing time 3 seconds
2018-08-24_15:21:43 [Worker_1] Connected: session:7F8FFC6FC958
200.29.108.214:49601 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_15:21:44 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_15:21:46 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_15:21:46 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_15:21:47 [Worker_1] 200.29.108.214 disconnected:
session:7F8FFC6FC958 200.29.108.214 - processing time 4 seconds
2018-08-24_18:07:37 [Worker_1] Connected: session:7F8FFD3EBBA8
200.29.108.214:30145 > 192.168.69.246:25 > 192.168.69.246:125
2018-08-24_18:07:37 [Worker_1] 200.29.108.214 info: authentication -
login is used
2018-08-24_18:07:40 [Worker_1] 200.29.108.214 warning: SMTP
authentication failed on 192.168.69.246
2018-08-24_18:07:40 [Worker_1] 200.29.108.214 [SMTP Error] 535 (515)
incorrect password or account name
2018-08-24_18:07:40 [Worker_1] 200.29.108.214 disconnected:
session:7F8FFD3EBBA8 200.29.108.214 - processing time 3 seconds

  All of these were started on server port 25.

> 
> Also, could you do a command to search your fail2ban logs so we can see
> exactly how many times that IP address has been found?
> 
> Here's the command:
> 
> grep 200.29.108.214 /var/log/fail2ban.log
> 
2018-08-19 22:10:33,580 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-19 22:10:33
2018-08-19 23:10:49,643 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-19 23:10:49
2018-08-19 23:10:49,806 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-20 19:55:01,907 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-20 19:55:00
2018-08-21 02:27:38,700 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-21 02:27:38
2018-08-21 02:27:38,764 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-21 06:12:36,405 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-21 06:12:35
2018-08-21 06:45:41,038 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-21 06:45:40
2018-08-21 06:45:41,695 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-21 10:38:51,837 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-21 10:38:50
2018-08-22 03:02:25,786 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-22 03:02:25
2018-08-22 03:43:59,819 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-22 03:43:59
2018-08-22 03:44:00,347 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-23 13:58:28,665 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-23 13:58:28
2018-08-23 14:15:36,239 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-23 14:15:35
2018-08-23 14:15:36,320 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-23 17:02:32,937 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-23 17:02:32
2018-08-24 03:58:57,293 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 03:58:57
2018-08-24 04:10:42,830 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 04:10:42
2018-08-24 04:10:42,918 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-24 05:16:19,847 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 05:16:19
2018-08-24 07:28:18,454 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 07:28:18
2018-08-24 07:28:18,460 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-24 09:29:25,226 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 09:29:25
2018-08-24 11:08:31,129 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 11:08:30
2018-08-24 11:08:31,430 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-24 15:21:47,010 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 15:21:46
2018-08-24 18:07:40,294 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-24 18:07:40
2018-08-24 18:07:40,425 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-25 06:55:06,223 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-25 06:55:06
2018-08-25 08:49:38,008 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-25 08:49:37
2018-08-25 08:49:38,639 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-25 13:59:22,480 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-25 13:59:22
2018-08-26 01:13:34,694 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-26 01:13:34
2018-08-26 07:40:24,589 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-26 07:40:24
2018-08-26 07:40:24,650 fail2ban.actions        [25601]: WARNING [assp]
200.29.108.214 already banned
2018-08-26 11:40:47,031 fail2ban.filter         [25601]: INFO    [assp]
Found 200.29.108.214 - 2018-08-26 11:40:46
2018-08-26 14:39:45,487 fail2ban.actions        [25601]: NOTICE  [assp]
Unban 200.29.108.214


-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to