View Single Post
  #3  
Old 23rd July 2012, 20:39
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 209
Thanks: 42
Thanked 5 Times in 5 Posts
Default

Yes you are right. actions do now show for fail2ban in ISPCONFIG logs and fail2ban logs as well.
But now there is a new problem.
The mail.warn log shows
Quote:
Jul 23 23:22:06 server1 postfix/smtpd[18714]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:07 server1 postfix/smtpd[20007]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:08 server1 postfix/smtpd[18714]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:09 server1 postfix/smtpd[20007]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:40 server1 postfix/smtpd[20007]: last message repeated 25 times
Jul 23 23:23:03 server1 postfix/smtpd[20007]: last message repeated 18 times
Jul 23 23:23:03 server1 postfix/smtpd[20123]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:24:12 server1 postfix/smtpd[20123]: last message repeated 8 times
Whereas fail2ban is not banning this IP, which has a repeated failue. Below is the copy of the fail2ban log

Quote:
2012-07-22 21:49:29,626 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-07-22 21:49:29,727 fail2ban.jail : INFO Creating new jail 'courierpop3'
2012-07-22 21:49:29,727 fail2ban.jail : INFO Jail 'courierpop3' uses poller
2012-07-22 21:49:29,843 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:29,944 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:30,246 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:30,347 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:31,454 fail2ban.jail : INFO Creating new jail 'courierimap'
2012-07-22 21:49:31,454 fail2ban.jail : INFO Jail 'courierimap' uses poller
2012-07-22 21:49:31,555 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:31,656 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:31,957 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:32,058 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:33,165 fail2ban.jail : INFO Creating new jail 'ssh'
2012-07-22 21:49:33,165 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-07-22 21:49:33,266 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-07-22 21:49:33,367 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:33,670 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:33,770 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:35,883 fail2ban.jail : INFO Creating new jail 'postfix'
2012-07-22 21:49:35,883 fail2ban.jail : INFO Jail 'postfix' uses poller
2012-07-22 21:49:35,984 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:36,084 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:36,386 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:36,487 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:37,594 fail2ban.jail : INFO Creating new jail 'sasl'
2012-07-22 21:49:37,594 fail2ban.jail : INFO Jail 'sasl' uses poller
2012-07-22 21:49:37,695 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:37,997 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:38,097 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:39,205 fail2ban.jail : INFO Creating new jail 'apache'
2012-07-22 21:49:39,205 fail2ban.jail : INFO Jail 'apache' uses poller
2012-07-22 21:49:39,306 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-07-22 21:49:39,407 fail2ban.filter : INFO Set maxRetry = 5
2012-07-22 21:49:39,708 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:39,809 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:41,120 fail2ban.jail : INFO Creating new jail 'proftpd'
2012-07-22 21:49:41,120 fail2ban.jail : INFO Jail 'proftpd' uses poller
2012-07-22 21:49:41,221 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-07-22 21:49:41,322 fail2ban.filter : INFO Set maxRetry = 5
2012-07-22 21:49:41,624 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:41,725 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:43,138 fail2ban.jail : INFO Jail 'courierpop3' started
2012-07-22 21:49:43,240 fail2ban.jail : INFO Jail 'courierimap' started
2012-07-22 21:49:43,343 fail2ban.jail : INFO Jail 'ssh' started
2012-07-22 21:49:43,445 fail2ban.jail : INFO Jail 'postfix' started
2012-07-22 21:49:43,548 fail2ban.jail : INFO Jail 'sasl' started
2012-07-22 21:49:43,651 fail2ban.jail : INFO Jail 'apache' started
2012-07-22 21:49:43,753 fail2ban.jail : INFO Jail 'proftpd' started
2012-07-22 23:03:21,732 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-22 23:03:21,799 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-22 23:13:22,370 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-22 23:13:22,442 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-22 23:54:33,954 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-22 23:54:34,984 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-23 00:04:34,605 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-23 00:04:35,617 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-23 15:10:56,859 fail2ban.actions: WARNING [postfix] Ban 117.205.72.170
2012-07-23 15:11:37,014 fail2ban.actions: WARNING [postfix] Ban 89.137.58.53
2012-07-23 15:12:45,096 fail2ban.actions: WARNING [postfix] Ban 115.242.66.0
2012-07-23 15:13:32,158 fail2ban.actions: WARNING [postfix] Ban 14.98.154.163
2012-07-23 15:20:57,637 fail2ban.actions: WARNING [postfix] Unban 117.205.72.170
2012-07-23 15:21:37,692 fail2ban.actions: WARNING [postfix] Unban 89.137.58.53
2012-07-23 15:22:45,776 fail2ban.actions: WARNING [postfix] Unban 115.242.66.0
2012-07-23 15:23:32,837 fail2ban.actions: WARNING [postfix] Unban 14.98.154.163
2012-07-23 16:30:32,974 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-23 16:30:32,976 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-23 16:30:32,989 fail2ban.actions.action: ERROR iptables -I fail2ban-courierpop3 1 -s 223.231.22.77 -j DROP returned 400
2012-07-23 16:40:33,600 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-23 16:40:33,611 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-23 16:40:33,622 fail2ban.actions.action: ERROR iptables -D fail2ban-courierpop3 -s 223.231.22.77 -j DROP returned 100
Any clue, why this IP with multiple failures is not getting banned?
Reply With Quote