Did you mean to set the timeout on f2b-postfix-sasl to ten minutes (600)? These
will count down and fall off the list without fail2ban knowing. You should see
the
countdown with:
watch ipset -L f2b-postfix-sasl
Bill
On 7/27/2020 9:06 PM, [email protected] wrote:
Hello List, thanks in advance for any help you can provide….
I hope you can help me with this…
Fresh Centos 8 installed with fail2ban + firewalld/system
Everything installed from rpm
I have installed and configured 2 jails, sshd and postfix-sasl, Firewalld is running and getting the list of ban ips from
fail2ban
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 1:65535 -m set --match-set f2b-postfix-sasl src -j REJECT
--reject-with icmp-port-unreachable
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with
icmp-port-unreachable
both jail are detecting and banning ips.. as you can see in the output 64 and
787 ips banned on respectively
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 15
| |- Total failed: 2979
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 64
|- Total banned: 64
`- Banned IP list: 46.38.150.37 185.143.73.134 185.143.73.203 46.38.145.253
46.38.145.252 ….. [output cut]
[root@vps01 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 68
| |- Total failed: 787
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 359
|- Total banned: 380
`- Banned IP list: 128.199.142.0 119.29.56.139 210.126.5.91 190.143.39.211 107.159.22.18 181.166.87.8 85.172.11.101
….[output cut]
However the problem is that firewalld after a couple of minutes loosses the list of ips from fail2ban and it stops blocking
and actually no longer bocks any new ip added to the jail
As you can see here from command output postfix-sasl has 0 entries, If I
[root@vps01 ~]# ipset list
Name: f2b-postfix-sasl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 6168
References: 1
Number of entries: 0
Members:
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 172800
Size in memory: 29688
References: 1
Number of entries: 362
Members:
188.166.164.10 timeout 161635
41.111.135.199 timeout 161638
…. [output cut]
62.94.206.57 timeout 161639
49.232.162.53 timeout 172712
If fail2ban is restarted, postfix-sasl gets its members and effectively blocks connections, but after a couple of minutes it
goes back to 0 entries and stops protecting…
[root@vps01 ~]# ipset list|grep -v timeout
Name: f2b-sshd
Type: hash:ip
Revision: 4
Size in memory: 29208
References: 1
Number of entries: 361
Members:
Name: f2b-postfix-sasl
Type: hash:ip
Revision: 4
Size in memory: 6264
References: 1
Number of entries: 64
Members:
-- running versions –
cyrus-sasl-2.1.26-23.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64
cyrus-sasl-md5-2.1.26-23.el7.x86_64
cyrus-sasl-plain-2.1.26-23.el7.x86_64
fail2ban-0.10.5-2.el7.noarch
fail2ban-firewalld-0.10.5-2.el7.noarch
fail2ban-sendmail-0.10.5-2.el7.noarch
fail2ban-server-0.10.5-2.el7.noarch
fail2ban-systemd-0.10.5-2.el7.noarch
postfix-2.10.1-9.el7.x86_64
--
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
