View Single Post
  #5  
Old 20th November 2008, 08:02
cat cat is offline
Member
 
Join Date: Sep 2008
Location: Australia
Posts: 40
Thanks: 9
Thanked 3 Times in 3 Posts
Default I am unsure that fail2ban is working

fail2ban was updated a day or two ago when I ran update manager. This usually does not cause any problems.
After the update I noticed some new information when I ran iptables -L

From iptables -L
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dports domain,953
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-apache tcp -- anywhere anywhere multiport dports www
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports www,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-named-refused-udp udp -- anywhere anywhere multiport dports domain,953
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports www
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Is this correct or is there problem with fail2ban?

I also noticed in the fail2ban.log

From fail2ban.log
Quote:
Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:49 myserv1 last message repeated 5 times
Nov 20 09:45:53 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 4 times
Nov 20 09:47:42 myserv1 last message repeated 3 times
There does not seem to be anything banning these attempts. When fail2ban use to ban things it would put “ban” on the end of the line, I don’t see that any more. I created a jail.local and added the jails from falkos how to setup fail2ban on Debian. However I had to make most of them “enabled = false” because I got the following error messages.

From fail2ban.log
Quote:
2008-11-19 14:42:08,616 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 09:55:44,518 fail2ban.actions.action: ERROR iptables -N fail2ban-couriersmtp
iptables -A fail2ban-couriersmtp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-couriersmtp returned 200
2008-11-20 09:55:44,718 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2008-11-20 10:23:24,921 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2008-11-20 11:03:28,170 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:11,684 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:19,780 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:12:56,511 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'pop3: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:16:15,491 fail2ban.comm : WARNING Invalid command: ['set', 'courierimap', 'failregex', 'imapd: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:18:49,953 fail2ban.comm : WARNING Invalid command: ['set', 'sasl', 'failregex', 'warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
2008-11-20 12:20:22,177 fail2ban.comm : WARNING Invalid command: ['set', 'proftpd', 'failregex', 'proftpd: \\(pam_unix\\) authentication failure; .* rhost=<HOST>']
2008-11-20 13:08:47,448 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
I have read every thing I can but I cant find any thing that seems to make a difference. Does any one have any ideas?

from mail.log
Quote:
Nov 20 09:37:58 myserv1 postfix/smtpd[25042]: connect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:37:59 myserv1 postfix/smtpd[25042]: NOQUEUE: reject: RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]: 554 5.7.1 <dcu846eg@yahoo.com.tw>: Relay access denied; from=<ttc585ttc585@yahoo.com.tw> to=<dcu846eg@yahoo.com.tw> proto=SMTP helo=<203.171.121.69>
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: lost connection after RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: disconnect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: connect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: disconnect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: connect from localhost[127.0.0.1]
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: disconnect from localhost[127.0.0.1]
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection rate 1/60s for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection count 1 for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max cache size 1 at Nov 20 09:37:58
Nov 20 09:42:52 myserv1 postfix/smtpd[25469]: connect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:12 myserv1 last message repeated 2 times
Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Nov 20 09:44:32 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:45:03 myserv1 last message repeated 3 times
Nov 20 09:46:07 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 3 times
Nov 20 09:47:11 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:22 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: connect from localhost[127.0.0.1]
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: disconnect from localhost[127.0.0.1]
Nov 20 09:47:24 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:42 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: too many errors after AUTH from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: disconnect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:50:29 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: connect from localhost[127.0.0.1]
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: disconnect from localhost[127.0.0.1]
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection rate 1/60s for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection count 1 for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max cache size 1 at Nov 20 09:42:52
Also a separate issue I am getting lots of entries like below in my mail.log file is there a problem there and if not id there a way to stop them from being generated?

From mail.log
Quote:
Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Thanks for your help
cat
Reply With Quote