[CentOS] faI2ban detecting and banning but nothing happens
Gary Stainburn
gary.stainburn at ringways.co.uk
Fri Apr 19 14:35:59 UTC 2019
On Friday 19 April 2019 15:19:26 Pete Biggs wrote:
> > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested
> > on another page:
>
> The standard exim.conf already has a 535 filter. Was that not working
> for you?
I was following the instructions as shown on the page. I did find after
sending my post that there was already a regex in the standard file, so
should be able to remove the one I added. However, the regex part doesn't
seem to be the problem as the actions are being correctly triggered.
> > \[<HOST>\]: 535 Incorrect authentication data
> >
> > which appears to be successfully matchnig lines in /var/log/exim/mail.log
> > such as
> >
> > 2019-04-19 13:06:10 dovecot_plain authenticator failed for
> > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
>
> Just to check - you are authenticating against dovecot for SMTP within
> exim (and it's not that dovecot authentication is getting mixed up with
> the exim logs)?
This is correct. I am using Dovecot to authenticate the SMTP users. The
errors are being logged in /var/log/exim/main.log and not
in /var/log/dovecot.log or /var/log/maillog
>
> > /var/log/fail2ban.log, and the generarted emails all say that the regex
> > is working and the IP addresses are getting banned.
> >
> > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE
> > [dovecot] Ban 45.227.253.99
> > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.222.209.71
> > 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE
> > [dovecot] Unban 185.211.245.198
> > 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE
> > [dovecot] Unban 185.234.217.221
> > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.234.217.162
> > 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE
> > [dovecot] Ban 185.234.217.162
> > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.234.217.221
> > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE
> > [dovecot] Ban 185.211.245.198
> > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO
> > [dovecot] Found 185.211.245.198
>
> It would be much, much easier to read if you didn't wrap the log lines
> - I've unwrapped them for you:
(I didn't wrap them, my mail client did. Sorry)
>
> 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot]
> Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions
> [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954
> fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99
> 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot]
> Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions
> [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108
> fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221
> 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]:
> INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249
> fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162
> 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]:
> INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178
> fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
> 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot]
> Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions
> [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248
> fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
>
> > However, once an IP address is banned, it continues to appear
> > in /var/log/exim/main.log which would imply that the ban action is not
> > working.
>
> Only for one more attempt - I presume your ban action is to modify the
> firewall, but the firewall doesn't stop established connections, so as
> long as the remote host has an open TCP connection it can continue to
> attempt to login. If your authenticator drops the connection after 3
> attempts and Fail2Ban blocks after 2 failed attempts you will see what
> you've got.
The event that triggers the ban does complete as normal, which is what I would
expect as the ban is triggered by the log entry which is *after* the failed
attempt.
However, after the /var/log/fail2ban.log showed the IP as banned, I continue
to see entries in /var/log/exim/main.log
>
>
> (Also, I don't understand why it's matching against dovecont ewhen the
> > regex is in exim.conf)
>
> Because the log line says dovecot - the actual name of the .conf file
> is irrelevant and nowhere in the filter config files does it mention
> [exim] explicitly (or any other section). The section is determined
> from the log line using the filters.
I did wonder that, but had initially assumed that the it took it from the
module / target.
More information about the CentOS
mailing list