#1  
Old 22nd July 2012, 19:24
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 222
Thanks: 44
Thanked 6 Times in 6 Posts
Default fail2ban something unusual

While everything looks Ok. Fail2ban status shows running.
Yet it appears like something is wrong there.

Reason being my mail.warn log files were getting flooded with unwanted traffic and failed attempts.

Now after proper activation of fail2ban, the mail.warn log appears to be almost dead slow.

It looks very strange that just by correcting fail2ban all the bots have gone away.
There is no ban or unban of ips in the fail2ban log.

it appears that the events are not getting logged properly.

How I can make sure that everything is OK.

Thanks.
Reply With Quote
Sponsored Links
  #2  
Old 23rd July 2012, 09:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,197
Thanks: 829
Thanked 5,419 Times in 4,261 Posts
Default

Take a look at the fail2ban.log file, you will see all ban / unban actions there.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 23rd July 2012, 20:39
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 222
Thanks: 44
Thanked 6 Times in 6 Posts
Default

Yes you are right. actions do now show for fail2ban in ISPCONFIG logs and fail2ban logs as well.
But now there is a new problem.
The mail.warn log shows
Quote:
Jul 23 23:22:06 server1 postfix/smtpd[18714]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:07 server1 postfix/smtpd[20007]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:08 server1 postfix/smtpd[18714]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:09 server1 postfix/smtpd[20007]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:22:40 server1 postfix/smtpd[20007]: last message repeated 25 times
Jul 23 23:23:03 server1 postfix/smtpd[20007]: last message repeated 18 times
Jul 23 23:23:03 server1 postfix/smtpd[20123]: warning: 1-168-240-74.dynamic.hinet.net[1.168.240.74]: SASL LOGIN authentication failed: authentication failure
Jul 23 23:24:12 server1 postfix/smtpd[20123]: last message repeated 8 times
Whereas fail2ban is not banning this IP, which has a repeated failue. Below is the copy of the fail2ban log

Quote:
2012-07-22 21:49:29,626 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-07-22 21:49:29,727 fail2ban.jail : INFO Creating new jail 'courierpop3'
2012-07-22 21:49:29,727 fail2ban.jail : INFO Jail 'courierpop3' uses poller
2012-07-22 21:49:29,843 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:29,944 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:30,246 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:30,347 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:31,454 fail2ban.jail : INFO Creating new jail 'courierimap'
2012-07-22 21:49:31,454 fail2ban.jail : INFO Jail 'courierimap' uses poller
2012-07-22 21:49:31,555 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:31,656 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:31,957 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:32,058 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:33,165 fail2ban.jail : INFO Creating new jail 'ssh'
2012-07-22 21:49:33,165 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-07-22 21:49:33,266 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-07-22 21:49:33,367 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:33,670 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:33,770 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:35,883 fail2ban.jail : INFO Creating new jail 'postfix'
2012-07-22 21:49:35,883 fail2ban.jail : INFO Jail 'postfix' uses poller
2012-07-22 21:49:35,984 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2012-07-22 21:49:36,084 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:36,386 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:36,487 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:37,594 fail2ban.jail : INFO Creating new jail 'sasl'
2012-07-22 21:49:37,594 fail2ban.jail : INFO Jail 'sasl' uses poller
2012-07-22 21:49:37,695 fail2ban.filter : INFO Set maxRetry = 3
2012-07-22 21:49:37,997 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:38,097 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:39,205 fail2ban.jail : INFO Creating new jail 'apache'
2012-07-22 21:49:39,205 fail2ban.jail : INFO Jail 'apache' uses poller
2012-07-22 21:49:39,306 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2012-07-22 21:49:39,407 fail2ban.filter : INFO Set maxRetry = 5
2012-07-22 21:49:39,708 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:39,809 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:41,120 fail2ban.jail : INFO Creating new jail 'proftpd'
2012-07-22 21:49:41,120 fail2ban.jail : INFO Jail 'proftpd' uses poller
2012-07-22 21:49:41,221 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-07-22 21:49:41,322 fail2ban.filter : INFO Set maxRetry = 5
2012-07-22 21:49:41,624 fail2ban.filter : INFO Set findtime = 600
2012-07-22 21:49:41,725 fail2ban.actions: INFO Set banTime = 600
2012-07-22 21:49:43,138 fail2ban.jail : INFO Jail 'courierpop3' started
2012-07-22 21:49:43,240 fail2ban.jail : INFO Jail 'courierimap' started
2012-07-22 21:49:43,343 fail2ban.jail : INFO Jail 'ssh' started
2012-07-22 21:49:43,445 fail2ban.jail : INFO Jail 'postfix' started
2012-07-22 21:49:43,548 fail2ban.jail : INFO Jail 'sasl' started
2012-07-22 21:49:43,651 fail2ban.jail : INFO Jail 'apache' started
2012-07-22 21:49:43,753 fail2ban.jail : INFO Jail 'proftpd' started
2012-07-22 23:03:21,732 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-22 23:03:21,799 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-22 23:13:22,370 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-22 23:13:22,442 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-22 23:54:33,954 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-22 23:54:34,984 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-23 00:04:34,605 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-23 00:04:35,617 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-23 15:10:56,859 fail2ban.actions: WARNING [postfix] Ban 117.205.72.170
2012-07-23 15:11:37,014 fail2ban.actions: WARNING [postfix] Ban 89.137.58.53
2012-07-23 15:12:45,096 fail2ban.actions: WARNING [postfix] Ban 115.242.66.0
2012-07-23 15:13:32,158 fail2ban.actions: WARNING [postfix] Ban 14.98.154.163
2012-07-23 15:20:57,637 fail2ban.actions: WARNING [postfix] Unban 117.205.72.170
2012-07-23 15:21:37,692 fail2ban.actions: WARNING [postfix] Unban 89.137.58.53
2012-07-23 15:22:45,776 fail2ban.actions: WARNING [postfix] Unban 115.242.66.0
2012-07-23 15:23:32,837 fail2ban.actions: WARNING [postfix] Unban 14.98.154.163
2012-07-23 16:30:32,974 fail2ban.actions: WARNING [courierimap] Ban 223.231.22.77
2012-07-23 16:30:32,976 fail2ban.actions: WARNING [courierpop3] Ban 223.231.22.77
2012-07-23 16:30:32,989 fail2ban.actions.action: ERROR iptables -I fail2ban-courierpop3 1 -s 223.231.22.77 -j DROP returned 400
2012-07-23 16:40:33,600 fail2ban.actions: WARNING [courierimap] Unban 223.231.22.77
2012-07-23 16:40:33,611 fail2ban.actions: WARNING [courierpop3] Unban 223.231.22.77
2012-07-23 16:40:33,622 fail2ban.actions.action: ERROR iptables -D fail2ban-courierpop3 -s 223.231.22.77 -j DROP returned 100
Any clue, why this IP with multiple failures is not getting banned?
Reply With Quote
  #4  
Old 25th July 2012, 14:11
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 222
Thanks: 44
Thanked 6 Times in 6 Posts
Default

Hi Till
I have observed that is only the SASL authentication failure, where fail2ban is not banning the IP
Quote:
ul 25 14:56:05 server1 postfix/smtpd[6259]: warning: unknown[110.186.222.242]: SASL LOGIN authentication failed: authentication failure
Jul 25 14:57:05 server1 postfix/smtpd[6259]: last message repeated 13 times
Please help, where I should look for?
Reply With Quote
  #5  
Old 26th July 2012, 12:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Can you post your saslauthd filter rule from fail2ban?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 26th July 2012, 15:23
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 222
Thanks: 44
Thanked 6 Times in 6 Posts
Default

Thanks Falko. I am giving below the contents of sasl.conf in filter.d folder.

Is there any other file called saslauthd filter file?

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$


Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
#ignoreregex =
Reply With Quote
  #7  
Old 27th July 2012, 12:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Can you try
Code:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
instead?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
pawan (30th July 2012)
  #8  
Old 30th July 2012, 09:29
pawan pawan is offline
Senior Member
 
Join Date: Jul 2010
Posts: 222
Thanks: 44
Thanked 6 Times in 6 Posts
Default

Thanks
Your suggestion has resolved the Problem.
Reply With Quote
  #9  
Old 18th December 2012, 19:58
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
 
Default

I'm getting the following on fail2ban log:

Code:
2012-12-18 16:33:49,518 fail2ban.actions: WARNING [courierpop3] Ban 122.225.36.98
2012-12-18 16:33:49,528 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
2012-12-18 16:33:49,529 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2012-12-18 16:33:49,543 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100
2012-12-18 16:43:50,298 fail2ban.actions: WARNING [courierpop3] Unban 122.225.36.98
Are the errors something to worry about?

Thanks in advance.
Reply With Quote
Reply

Bookmarks

Tags
fail2ban

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban does not modify iptables entries cbj4074 General 4 2nd December 2011 16:36
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 00:53
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 11:47
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44


All times are GMT +2. The time now is 19:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.