I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page:
[<HOST>]: 535 Incorrect authentication data
which appears to be successfully matchnig lines in /var/log/exim/mail.log such as
2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
/var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned.
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working.
(Also, I don't understand why it's matching against dovecont ewhen the regex is in exim.conf)
I've found lots of pages relating to regex errors which this obviously isn't but I can't seem to find pages about why the ban doesn't work. Does anyone have any ideas?
I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page:
The standard exim.conf already has a 535 filter. Was that not working for you?
\[<HOST>\]: 535 Incorrect authentication datawhich appears to be successfully matchnig lines in /var/log/exim/mail.log such as
2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)?
/var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned.
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
It would be much, much easier to read if you didn't wrap the log lines - I've unwrapped them for you:
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working.
Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got.
(Also, I don't understand why it's matching against dovecont ewhen the regex is in exim.conf)
Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters.
P.
On Friday 19 April 2019 15:19:26 Pete Biggs wrote:
I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page:
The standard exim.conf already has a 535 filter. Was that not working for you?
I was following the instructions as shown on the page. I did find after sending my post that there was already a regex in the standard file, so should be able to remove the one I added. However, the regex part doesn't seem to be the problem as the actions are being correctly triggered.
\[<HOST>\]: 535 Incorrect authentication datawhich appears to be successfully matchnig lines in /var/log/exim/mail.log such as
2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)?
This is correct. I am using Dovecot to authenticate the SMTP users. The errors are being logged in /var/log/exim/main.log and not in /var/log/dovecot.log or /var/log/maillog
/var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned.
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
It would be much, much easier to read if you didn't wrap the log lines
- I've unwrapped them for you:
(I didn't wrap them, my mail client did. Sorry)
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working.
Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got.
The event that triggers the ban does complete as normal, which is what I would expect as the ban is triggered by the log entry which is *after* the failed attempt.
However, after the /var/log/fail2ban.log showed the IP as banned, I continue to see entries in /var/log/exim/main.log
(Also, I don't understand why it's matching against dovecont ewhen the
regex is in exim.conf)
Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters.
I did wonder that, but had initially assumed that the it took it from the module / target.
The event that triggers the ban does complete as normal, which is what I would expect as the ban is triggered by the log entry which is *after* the failed attempt.
However, after the /var/log/fail2ban.log showed the IP as banned, I continue to see entries in /var/log/exim/main.log
What ban action do you use? If it's something like iptables-multiport, then I wonder if the fact that it's detecting the failures as '[dovecot]' means that it's using the dovecot ports, not the exim ports, when applying the iptable rule.
When a host has been banned, can you look at the iptables rules to see what is actually being applied.
P.
On Saturday 20 April 2019 00:32:43 Pete Biggs wrote:
What ban action do you use? If it's something like iptables-multiport, then I wonder if the fact that it's detecting the failures as '[dovecot]' means that it's using the dovecot ports, not the exim ports, when applying the iptable rule.
When a host has been banned, can you look at the iptables rules to see what is actually being applied.
Hi Pete,
I did wonder that myself. I have now amended to Dovecot definition in jail.conf to:
[dovecot]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s
I then unbanned and banned each IP address manually with
for F in 46.232.112.21 106.226.231.159 [snip] 52.38.234.254 ; do fail2ban-client set dovecot unbanip $F fail2ban-client set dovecot banip $F done
which worked. However, having done this, the connections are still getting through to EXIM.
[root@ollie2 ~]# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 6 | |- Total failed: 199 | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 41 |- Total banned: 82 `- Banned IP list: 46.232.112.21 106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 49.87.109.233 52.38.234.254 [root@ollie2 ~]# ipset list Name: fail2ban-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 120 References: 0 Number of entries: 0 Members:
Name: fail2ban-dovecot Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 3768 References: 0 Number of entries: 41 Members: 185.211.245.198 timeout 4294522 [snip] 45.227.253.99 timeout 4294532 117.60.247.84 timeout 4294514
Name: fail2ban-exim Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 408 References: 0 Number of entries: 3 Members: 185.234.217.160 timeout 4294290 85.222.209.56 timeout 4294291 185.222.209.71 timeout 4294289 [root@ollie2 ~]#
I did wonder that myself. I have now amended to Dovecot definition in jail.conf to:
[dovecot]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s
I then unbanned and banned each IP address manually with
Did you reload the configuration? ("fail2ban-client reload")
What action are you using - you mention ipset, are you using iptables- ipset-proto4? I don't know anything about ipset, but can you see what ports are being blocked in the fail2ban-dovecot set (just to make sure it is doing the correct thing).
If you manually add an IP address to the *exim* jail, does it get blocked?
P.
On Friday 26 April 2019 14:54:43 Pete Biggs wrote:
I did wonder that myself. I have now amended to Dovecot definition in jail.conf to:
[dovecot]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s
I then unbanned and banned each IP address manually with
Did you reload the configuration? ("fail2ban-client reload")
What action are you using - you mention ipset, are you using iptables- ipset-proto4? I don't know anything about ipset, but can you see what ports are being blocked in the fail2ban-dovecot set (just to make sure it is doing the correct thing).
If you manually add an IP address to the *exim* jail, does it get blocked?
I saved all config files and restarted the fail2ban service. I even rebooted the box. My jail.conf definition for exim is now:
[exim]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(exim_main_log)s
I have also added a REGEX into /etc/fail2ban/filter.d/exim.conf
^%(pid)s.* [<HOST>] rejected EHLO or HELO
to match entries like:
2019-04-26 15:44:13 H=(User) [102.165.49.64] rejected EHLO or HELO user: Your server with the IP 102.165.49.64 is with helo name (User) configured incorrectly. Email has been blocked. (HELO Error)
The HELO message seem to have stopped appearing in the logs, so it looks like that is working. However, the original Dovecot authentication errors are still appearing in exim/main.log
[root@ollie2 ~]# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 2 | |- Total failed: 180 | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 41 |- Total banned: 41 `- Banned IP list: 106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 46.232.112.21 49.87.109.233 52.38.234.254 [root@ollie2 ~]# fail2ban-client status exim Status for the jail: exim |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 4 |- Total banned: 4 `- Banned IP list: 103.114.104.149 185.222.209.71 185.234.217.160 85.222.209.56 [root@ollie2 ~]# ipset list Name: fail2ban-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 120 References: 0 Number of entries: 0 Members:
Name: fail2ban-dovecot Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 3864 References: 0 Number of entries: 41 Members: 185.222.209.56 timeout 4291085 185.234.217.162 timeout 4291086 114.106.134.228 timeout 4291075 45.227.253.100 timeout 4291094 188.165.238.157 timeout 4291088 203.2.118.130 timeout 4291088 140.224.60.165 timeout 4291082 141.98.80.32 timeout 4291083 183.135.168.89 timeout 4291084 27.156.176.146 timeout 4291092 46.232.112.21 timeout 4291096 113.120.143.41 timeout 4291074 113.120.142.149 timeout 4291073 117.29.90.228 timeout 4291077 185.222.209.71 timeout 4291085 185.234.217.221 timeout 4291087 117.31.46.4 timeout 4291078 49.87.109.233 timeout 4291097 41.164.192.74 timeout 4291092 121.237.56.154 timeout 4291080 14.29.161.224 timeout 4291081 117.24.39.199 timeout 4291077 120.43.54.45 timeout 4291079 185.36.81.165 timeout 4291087 140.224.61.88 timeout 4291083 210.6.94.23 timeout 4291090 114.238.30.180 timeout 4291076 116.91.166.50 timeout 4291076 106.226.231.159 timeout 4291067 27.156.139.95 timeout 4291091 52.38.234.254 timeout 4291098 122.7.227.53 timeout 4291081 117.60.247.84 timeout 4291078 209.166.164.71 timeout 4291089 185.211.245.198 timeout 4291085 180.146.128.112 timeout 4291084 185.234.217.160 timeout 4291086 211.72.92.124 timeout 4291090 121.233.206.62 timeout 4291080 45.227.253.99 timeout 4291095 119.127.17.82 timeout 4291079
Name: fail2ban-exim Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 504 References: 0 Number of entries: 4 Members: 185.234.217.160 timeout 4291074 185.222.209.71 timeout 4291073 85.222.209.56 timeout 4291075 103.114.104.149 timeout 4291067 [root@ollie2 ~]#
On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
On 4/19/2019 5:30 AM, Gary Stainburn wrote:
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
Which page? It would help to see what they advised. On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: On 4/19/2019 5:30 AM, Gary Stainburn wrote:
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
Which page? It would help to see what they advised.
I think I worked from two pages. One I believe was
https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/
I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.
/var/log/fail2ban.log is showing that it's working:
2019-04-26 11:41:08,850 fail2ban.filter [7853]: INFO [dovecot] Found 155.133.4.195 2019-04-26 11:41:09,651 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:11,397 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:11,909 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:12,873 fail2ban.actions [7853]: NOTICE [dovecot] 185.222.209.56 already banned 2019-04-26 11:41:24,306 fail2ban.filter [7853]: INFO [dovecot] Found 185.222.209.56 2019-04-26 11:41:25,010 fail2ban.filter [7853]: INFO [dovecot] Found 46.232.112.21 2019-04-26 11:41:36,035 fail2ban.filter [7853]: INFO [dovecot] Found 46.232.112.21 2019-04-26 11:41:40,564 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:41:50,779 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:41:50,915 fail2ban.actions [7853]: NOTICE [dovecot] 45.227.253.100 already banned 2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found 185.36.81.165 2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot] 185.36.81.165 already banned 2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100
and yet the IP is still getting through to exim:
2019-04-26 11:41:39 dovecot_plain authenticator failed for ([46.232.112.21]) [46.232.112.21]: 535 Incorrect authentication data (set_id=aa26fa5) 2019-04-26 11:41:44 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=*********) 2019-04-26 11:41:55 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=********) 2019-04-26 11:43:27 dovecot_login authenticator failed for (88.211.105.31) [185.36.81.165]: 535 Incorrect authentication data (set_id=**********) 2019-04-26 11:44:13 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=****************) 2019-04-26 11:44:23 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=****************) 2019-04-26 11:45:19 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=****************) 2019-04-26 11:45:35 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=****************) 2019-04-26 11:46:36 dovecot_plain authenticator failed for ([185.222.209.56]) [185.222.209.56]: 535 Incorrect authentication data (set_id=****************) 2019-04-26 11:46:37 dovecot_plain authenticator failed for ([45.227.253.100]) [45.227.253.100]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found 185.36.81.165 2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot] 185.36.81.165 already banned 2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100 2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found 45.227.253.100
and yet the IP is still getting through to exim:
Yes, as I said before Fail2Ban is detecting it as a dovecot failure, so it is probably blocking the dovecot ports, not the exim/smtp ports. The "already banned" is a give away. You can verify that by looking at the blocked iptable ports when a host has been banned.
You can either sort out why it's detecting it as dovecot and not exim or you can modify the fail2ban dovecot config in jail.local by adding the smtp port to the list of ports.
P.
På Fri, 26 Apr 2019 11:50:47 +0100 Gary Stainburn gary.stainburn@ringways.co.uk skrev:
On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
On 4/19/2019 5:30 AM, Gary Stainburn wrote:
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
Which page? It would help to see what they advised. On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: On 4/19/2019 5:30 AM, Gary Stainburn wrote:
I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
Which page? It would help to see what they advised.
I think I worked from two pages. One I believe was
https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/
I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.
/var/log/fail2ban.log is showing that it's working:
I have seem similar odd behaviour with f2b with other filters. Try to uninstall the package fail2ban-systemd and stop and start fail2ban again. This might change its behavior to the better.
Allan.
/var/log/fail2ban.log is showing that it's working:
I have seem similar odd behaviour with f2b with other filters. Try to uninstall the package fail2ban-systemd and stop and start fail2ban again. This might change its behavior to the better.
The fail2ban-systemd package configures fail2ban to use systemd journal for log input. The OP can see that it is detecting the transgressions, so the input side of things is not the issue. What they appear to be having problems with is the banning process.
Personally, I don't use 'firewallcmd-ipset' for banaction, I use 'iptables-multiport'. But the OP needs to look at what exactly is happening to the firewall configuration when an IP is banned.
P.
På Sun, 28 Apr 2019 12:59:59 +0100 Pete Biggs pete@biggs.org.uk skrev:
/var/log/fail2ban.log is showing that it's working:
I have seem similar odd behaviour with f2b with other filters. Try to uninstall the package fail2ban-systemd and stop and start fail2ban again. This might change its behavior to the better.
The fail2ban-systemd package configures fail2ban to use systemd journal for log input. The OP can see that it is detecting the transgressions, so the input side of things is not the issue.
I do not agree. Yes, it is detecting something is bad - but it is the wrong filter, that is doing it, and that should not happen. Yes, both dovecot and exim filters look in some of the same ports; but the filters should know to look into the different logs. However the f2b-systemd 'package' seems to clutter this up. For me, I was trying to setup the recidive filter (for extended banning of ongoing abusers) but it wouldn't ban anything either. Removing the f2b-systemd package fixed it. Do notice, the f2b-systemd package is optional - it is not included with a simple f2b install - but the OP only installed it because of the instructions on that howtoforge website. I've been there, done that, too :-)
Thats why I think, he should try to remove it - as it didn't do any harm to my system, when I removed it - but it fixed recidive filtering.
It is also interesting to read about the backend in jail.conf Acording to that, backend = auto is default and auto includes 3 choices, where systemd is not even one of them - so installing systemd as default is quite an override, that may not be such a good idea (depending on the filters you choose)
Allan.
On 4/26/19 3:50 AM, Gary Stainburn wrote:
I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.
This is my process for fail2ban:
1: "yum install fail2ban" This installs fail2ban and fail2ban-firewalld.
2: install /etc/fail2ban/jail.local. This file enables the matching rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures.
[sshd] enabled = true maxretry = 10
3: install /etc/fail2ban/action.d/firewallcmd-ipset.local. This file overrides the default action defined in /etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in /etc/fail2ban/jail.d/00-firewalld.conf. The new definition blocks the source address from *all* TCP ports rather than just the ports defined for the jail (in /etc/fail2ban/jail.conf). You might also choose to remove the "-p <protocol>" spec to block all access instead of just TCP access.
[Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype> ipset flush fail2ban-<name> ipset destroy fail2ban-<name>
4: systemctl enable fail2ban
That's one approach. I believe that you could modify fewer files by setting "port = 0:65535" in your definition in "jail.local" and not install firewallcmd-ipset.local.
On Monday 29 April 2019 02:21:05 Gordon Messmer wrote:
That's one approach. I believe that you could modify fewer files by setting "port = 0:65535" in your definition in "jail.local" and not install firewallcmd-ipset.local.
I have just tried this, and re-started fail2ban. It does not seem to have worked.
I have looked at /var/log/exim/main.log and found lots of lines like
2019-04-29 09:39:15 dovecot_plain authenticator failed for (hosting-by.directwebhost.org.) [45.227.253.100]: 535 Incorrect authentication data
which are still not being stopped. I have run the commands
[root@ollie2 ~]# fail2ban-client set exim banip 45.227.253.100 45.227.253.100 [root@ollie2 ~]# fail2ban-client set exim banip 46.232.112.21 46.232.112.21 [root@ollie2 ~]#
and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands).
[DEFAULT] # set a higher bantime and findtime bantime=3600000 findtime=1200 # set the IP's to ignore / not ban ignoreip = 127.0.0.1/8 10.0.0.0/8 # set max number of attempts maxretry = 3 # set mail receiver destemail = fail2ban@ringways.co.uk sender = fail2ban@ringways.co.uk # enable sending mails, whois and logfile sections by choosing the "action_mwl" template, # see jail.conf for details action = %(action_mwl)s
[exim] port = 0:65535
[dovecot] port = 0:65535
On 4/29/19 1:44 AM, Gary Stainburn wrote:
and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands).
[exim] port = 0:65535
If that's all that's in jail.local, then the jail shouldn't be enabled. They're off by default. I'd suggest that you remove fail2ban completely. Remove the packages, and then delete /etc/fail2ban, and start again.
When you're done, look at the output of "iptables -n -L INPUT_direct":
# iptables -n -L INPUT_direct Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set fail2ban-sshd src reject-with icmp-port-unreachable
On Monday 29 April 2019 17:21:54 Gordon Messmer wrote:
On 4/29/19 1:44 AM, Gary Stainburn wrote:
and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands).
[exim] port = 0:65535
If that's all that's in jail.local, then the jail shouldn't be enabled. They're off by default. I'd suggest that you remove fail2ban completely. Remove the packages, and then delete /etc/fail2ban, and start again.
When you're done, look at the output of "iptables -n -L INPUT_direct":
# iptables -n -L INPUT_direct Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set fail2ban-sshd src reject-with icmp-port-unreachable
My jail.conf contains the following. What I included above was jail.local
[dovecot]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s
[exim]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(exim_main_log)s
I was also coming to the conclusion that it was time to start again. I'll let you know how I get on
Gary
-
Allan -
Gary Stainburn -
Gordon Messmer -
Kenneth Porter -
Pete Biggs