[CentOS] faI2ban detecting and banning but nothing happens

Gary Stainburn gary.stainburn at ringways.co.uk
Fri Apr 19 14:35:59 UTC 2019 

On Friday 19 April 2019 15:19:26 Pete Biggs wrote:
> > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested
> > on another page:
>
> The standard exim.conf already has a 535 filter. Was that not working
> for you?

I was following the instructions as shown on the page.  I did find after 
sending my post that there was already a regex in the standard file, so 
should be able to remove the one I added. However, the regex part doesn't 
seem to be the problem as the actions are being correctly triggered.

> >        \[<HOST>\]: 535 Incorrect authentication data
> >
> > which appears to be successfully matchnig lines in /var/log/exim/mail.log
> > such as
> >
> > 2019-04-19 13:06:10 dovecot_plain authenticator failed for
> > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
>
> Just to check - you are authenticating against dovecot for SMTP within
> exim (and it's not that dovecot authentication is getting mixed up with
> the exim logs)?

This is correct.  I am using Dovecot to authenticate the SMTP users.  The 
errors are being logged in /var/log/exim/main.log and not 
in /var/log/dovecot.log or /var/log/maillog

>
> > /var/log/fail2ban.log, and the generarted emails all say that the regex
> > is working and the IP addresses are getting banned.
> >
> > 2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:32,607 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 45.227.253.99
> > 2019-04-19 13:06:32,954 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.222.209.71
> > 2019-04-19 13:07:16,973 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Unban 185.211.245.198
> > 2019-04-19 13:07:42,108 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Unban 185.234.217.221
> > 2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:11,299 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.234.217.162
> > 2019-04-19 13:08:12,249 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 185.234.217.162
> > 2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:22,092 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.234.217.221
> > 2019-04-19 13:09:18,178 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,752 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 185.211.245.198
> > 2019-04-19 13:10:48,248 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
>
> It would be much, much easier to read if you didn't wrap the log lines
> - I've unwrapped them for you:
(I didn't wrap them, my mail client did. Sorry)

>
> 2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954
> fail2ban.filter         [21954]: INFO    [dovecot] Found 45.227.253.99
> 2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108
> fail2ban.actions        [21954]: NOTICE  [dovecot] Unban 185.234.217.221
> 2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter         [21954]:
> INFO    [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249
> fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 185.234.217.162
> 2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter         [21954]:
> INFO    [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178
> fail2ban.filter         [21954]: INFO    [dovecot] Found 185.211.245.198
> 2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248
> fail2ban.filter         [21954]: INFO    [dovecot] Found 185.211.245.198
>
> > However, once an IP address is banned, it continues to appear
> > in /var/log/exim/main.log which would imply that the ban action is not
> > working.
>
> Only for one more attempt - I presume your ban action is to modify the
> firewall, but the firewall doesn't stop established connections, so as
> long as the remote host has an open TCP connection it can continue to
> attempt to login. If your authenticator drops the connection after 3
> attempts and Fail2Ban blocks after 2 failed attempts you will see what
> you've got.

The event that triggers the ban does complete as normal, which is what I would 
expect as the ban is triggered by the log entry which is *after* the failed 
attempt.

However, after the /var/log/fail2ban.log showed the IP as banned, I continue 
to see entries in /var/log/exim/main.log

>
>
 > (Also, I don't understand why it's matching against dovecont ewhen the
> > regex is in exim.conf)
>
> Because the log line says dovecot - the actual name of the .conf file
> is irrelevant and nowhere in the filter config files does it mention
> [exim] explicitly (or any other section). The section is determined
> from the log line using the filters.

I did wonder that, but had initially assumed that the it took it from the 
module / target.

More information about the CentOS mailing list