fail2ban not working?

Discussion in 'Installation/Configuration' started by dynamind, Jul 16, 2013.

  1. dynamind

    dynamind Member

    I've been monitoring the mail.log and curiously just in this moment
    I found

    fail2ban doesn't respond? I had to stop that with iptables drop.

    Last edited: Jul 16, 2013
  2. alexa6moon

    alexa6moon New Member

    I also have some trouble when follow instruction install ISPConfig 3 in Debian
    18 Install fail2ban
    /etc/init.d/fail2ban restart
    [ ok ] Restarting authentication failure monitor: fail2ban.
    I change
    nano /etc/fail2ban/jail.local
    filter = pureftpd
    filter = pure-ftpd
    but still appear
    [ ok ] Restarting authentication failure monitor: fail2ban.

    Please me need help!
    Last edited: Sep 14, 2013
  3. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Multiple problems here.

    1. -- the regex doesn't match
    2. banaction = route -> is this wanted? Don't know what route does, but it's not IPTables (at least not the default)
    3. The restart is fine... nothing wrong there..

    you could try:

    ^.* warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [A-Za-z0-9+/]*={0,2})?$
  4. scarleo

    scarleo New Member

    I'd say go with CSF instead, it is much more powerful than Fail2ban and really easy to setup:

    It's almost out of the box, very little configuration needed.
  5. concept21

    concept21 Member

    fail2ban sasl filter works for my Ubuntu 10.04. :)

    I have read from other posts here. The procedure is simple.

    Edit the failregex line in /etc/fail2ban/filter.d/sasl.conf as:

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

    Edit /etc/fail2ban/jail.local:

    logpath = /var/log/mail.warn

    This picture shows how fail2ban blocks hackers attacking from 3 different mail protocols.

    Attached Files:

    Last edited: Sep 17, 2013
  6. SamTzu

    SamTzu Member HowtoForge Supporter

    According to their home page CSF may require rewriting some regex rules on Debian. I don't like that at all.

Share This Page