[Fail2ban-users] Jail not finding instances of jailable IPs

James Moe via Fail2ban-users Fri, 28 May 2021 11:40:57 -0700

fail2ban v0.10.4
opensuse tumbleweed v

  Fail2ban is not detecting live instances of IPs that should be banned. Below
is the result of fail2ban-regex using the same filter and log file as the f2b
server. 73 found. 0 banned.
  F2b has not found an instance of jail "cgpro-imap" in days.


  Where prevents the f2b-server from actually doing its job?


----[ missed instance ]----
  instance:
06:18:50.984 3 IMAP-052500([5.62.57.117]:2230) failed to accept a secure
connection for DOMAIN(sma-inc.us). Error Code=TLS alert record received


  log excerpt. Nothing at 06:18:
2021-05-28 06:17:44,408 fail2ban.actions        [12140]: NOTICE  [assp-1] Ban
204.44.120.184

2021-05-28 06:20:31,996 fail2ban.filter         [12140]: INFO    [assp-1] Found
195.133.39.253 - 2021-05-28 06:20:31


----[ end ]----

----[ regex results ]----
$ sudo fail2ban-regex /data01/var/CommuniGate/cgp-current.log
/etc/fail2ban/filter.d/cgpro-imap.conf



Running tests

=============



Use   failregex filter file : cgpro-imap, basedir: /etc/fail2ban

Use      datepattern : 24hour:Minute:Second

Use         log file : /data01/var/CommuniGate/cgp-current.log

Use         encoding : UTF-8





Results

=======



Failregex: 73 total

|-  #) [# of hits] regular expression

|   2) [73] ^.*IMAP.*\(\[<HOST>\]\:.*\) failed to accept a secure connection for
DOMAIN.*$

`-

Ignoreregex: 0 total



Date template hits:

|- [# of hits] date format

|  [16775] 24hour:Minute:Second

`-



Lines: 16775 lines, 0 ignored, 73 matched, 16702 missed

[processed in 1.51 sec]

----[ end ]----

----[ jail and filter config ]----
  jail:
[cgpro-imap]

enabled  = true

port     = 143,993

logpath  = /data01/var/CommuniGate/cgp-current.log

datepattern = %%H:%%M:%%S

#

bantime = 12w

maxretry = 2

findtime = 3w

action = iptables-multiport[name=cgp-i, port="143,993", protocol=tcp]


  filter:

[Definition]

__cgpro-imap_actions = (?:dropping|refusing)




failregex = ^.*IMAP.*\(\[<HOST>\]\:.*\).*\]\:(143|993)\..*Error Code=account is
not available.*$


            ^.*IMAP.*\(\[<HOST>\]\:.*\) failed to accept a secure connection for
DOMAIN.*$

----[ end ]----

[Aside] I have never decided exactly what this is telling me...
Status for the jail: cgpro-imap

|- Filter

|  |- Currently failed: 14

|  |- Total failed:     69

|  `- File list:        /data01/var/CommuniGate/cgp-current.log

`- Actions

   |- Currently banned: 45

   |- Total banned:     46

[/aside]

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Jail not finding instances of jailable IPs

Reply via email to