fail2ban something unusual

Discussion in 'Installation/Configuration' started by pawan, Jul 22, 2012.

  1. pawan

    pawan New Member

    While everything looks Ok. Fail2ban status shows running.
    Yet it appears like something is wrong there.

    Reason being my mail.warn log files were getting flooded with unwanted traffic and failed attempts.

    Now after proper activation of fail2ban, the mail.warn log appears to be almost dead slow.

    It looks very strange that just by correcting fail2ban all the bots have gone away.
    There is no ban or unban of ips in the fail2ban log.

    it appears that the events are not getting logged properly.

    How I can make sure that everything is OK.

    Thanks.
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Take a look at the fail2ban.log file, you will see all ban / unban actions there.
     
  3. pawan

    pawan New Member

    Yes you are right. actions do now show for fail2ban in ISPCONFIG logs and fail2ban logs as well.
    But now there is a new problem.
    The mail.warn log shows
    Whereas fail2ban is not banning this IP, which has a repeated failue. Below is the copy of the fail2ban log

    Any clue, why this IP with multiple failures is not getting banned?
     
  4. pawan

    pawan New Member

    Hi Till
    I have observed that is only the SASL authentication failure, where fail2ban is not banning the IP
    Please help, where I should look for?
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you post your saslauthd filter rule from fail2ban?
     
  6. pawan

    pawan New Member

    Thanks Falko. I am giving below the contents of sasl.conf in filter.d folder.

    Is there any other file called saslauthd filter file?

    Code:
    # Fail2Ban configuration file
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision: 728 $
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
    
    
    Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    #ignoreregex = 
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you try
    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    instead?
     
  8. pawan

    pawan New Member

    Thanks
    Your suggestion has resolved the Problem.
     
  9. baskin

    baskin New Member

    I'm getting the following on fail2ban log:

    Code:
    2012-12-18 16:33:49,518 fail2ban.actions: WARNING [courierpop3] Ban 122.225.36.98
    2012-12-18 16:33:49,528 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
    2012-12-18 16:33:49,529 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2012-12-18 16:33:49,543 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
    iptables -F fail2ban-courierpop3
    iptables -X fail2ban-courierpop3 returned 100
    2012-12-18 16:43:50,298 fail2ban.actions: WARNING [courierpop3] Unban 122.225.36.98
    Are the errors something to worry about?

    Thanks in advance.
     
: fail2ban

Share This Page