Fail2ban not banning everything that l specified

Discussion in 'Installation/Configuration' started by Milos331, Apr 15, 2020.

  1. Milos331

    Milos331 New Member

    Hello everyone, lm pretty new at linux administration and l wanted to protect my mail server.
    Only l use this server for mail and studying.
    Hopefuly someone can point where l made a mistake, thank you.

    l left fail2ban for couple of days to work and l got this result:

    Status for the jail: dovecot
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 35 ( but none of these were banned? )
    | `- Journal matches: _SYSTEMD_UNIT=dovecot.service
    `- Actions
    |- Currently banned: 1
    |- Total banned: 1
    `- Banned IP list: 212.200.247.126 ( I tested it via phone )

    Status for the jail: postfix-sasl
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 34 ( none of this banned? )
    | `- Journal matches:
    `- Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:
    but fail2ban.log said:
    2020-04-13 18:25:13,118 fail2ban.filter [1589]: INFO [dovecot] Found 193.169.255.130 - 2020-04-13 18:25:12
    2020-04-13 18:25:17,276 fail2ban.filter [1589]: INFO [postfix-sasl] Found 193.169.255.130 - 2020-04-13 18:25:17
    2020-04-13 19:32:43,735 fail2ban.filter [1589]: INFO [dovecot] Found 193.169.255.130 - 2020-04-13 19:32:43
    2020-04-13 19:32:47,035 fail2ban.filter [1589]: INFO [postfix-sasl] Found 193.169.255.130 - 2020-04-13 19:32:47
    2020-04-14 21:31:32,546 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 21:31:32
    2020-04-14 21:52:02,538 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 21:52:02
    2020-04-14 21:52:06,285 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 21:52:06
    2020-04-14 22:19:29,131 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:19:29
    2020-04-14 22:19:33,318 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:19:33
    2020-04-14 22:40:20,186 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:40:19
    2020-04-14 22:40:24,111 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:40:24
    2020-04-14 22:58:34,316 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:58:34
    2020-04-14 22:58:38,260 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:58:38
    2020-04-14 23:16:25,082 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 23:16:25
    2020-04-14 23:16:28,227 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 23:16:28

    Postfix didnt find anything...


    My jail.local conf
    [longterm]
    port = ssh
    logpath = %(sshd_log)s
    banaction = iptables-multiport
    maxretry = 6
    findtime = 259200
    bantime = 31536000
    enabled = true
    filter = sshd

    [dovecot]
    enabled = true
    port = pop3,pop3s,imap,imaps
    filter = dovecot
    action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/maillog
    #findtime = 3600
    #bantime = 7200
    maxretry = 2

    [ssh]
    enabled = true
    port = ssh
    filter = sshd
    action = iptables
    logpath = /var/log/audit/audit.log
    #findtime = 14400
    #bantime = 7200
    maxretry = 3


    [postfix]
    enabled = true
    port = smtp
    filter = postfix
    action = iptables[name=postfix, port=smtp, protocol=tcp]
    logpath = /var/log/maillog
    #findtime = 3600
    #bantime = 7200
    maxretry = 2

    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix-sasl
    action = iptables[name=postfix, port=smtp, protocol=tcp]
    logpath = /var/log/maillog
    #findtime = 3600
    #bantime = 7200
    maxretry = 2
     

    Attached Files:

  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Milos331 likes this.
  3. nhybgtvfr

    nhybgtvfr Active Member

    why are you expecting any of those in that bit of log to be banned?
    you have max retry of 2 for postfix, postfix-sasl, and dovecot, and findtime is disabled in those local jails, so we have to assume they're using the default findtime in /etc/fail2ban/jail.conf, which is 10 minutes.
    none of those ip's are making more than 2 attempts at the same jail in any 10 minute period, so there is no reason for the system to ban them.

    in fact, it's only the first 4 entries in that bit of logging that any attempt on the same jail occur within any 10 minute period. 2 to dovecot, and 2 to postfix-sasl.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Your [postfix] jail didn't match anything; check the regex's in the postfix filter.d file against the log entries they should match, it could be they need adjusted. More likely there were simply no such log entries during that time. As @nhybgtvfr indicates, there is probably nothing wrong, the behaviour matches the logs.
     

Share This Page