[CentOS] faI2ban detecting and banning but nothing happens

Gary Stainburn gary.stainburn at ringways.co.uk
Fri Apr 26 14:57:09 UTC 2019


On Friday 26 April 2019 14:54:43 Pete Biggs wrote:
> 
> > 
> > I did wonder that myself.  I have now amended to Dovecot definition in jail.conf to:
> > 
> > [dovecot]
> > 
> > port    = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
> > logpath = %(dovecot_log)s
> > backend = %(dovecot_backend)s
> > 
> > I then unbanned and banned each IP address manually with 
> 
> Did you reload the configuration? ("fail2ban-client reload")
> 
> What action are you using - you mention ipset, are you using iptables-
> ipset-proto4? I don't know anything about ipset, but can you see what
> ports are being blocked in the fail2ban-dovecot set (just to make sure
> it is doing the correct thing).
> 
> If you manually add an IP address to the *exim* jail, does it get
> blocked?

I saved all config files and restarted the fail2ban service.  I even rebooted the box.  My jail.conf definition for exim is now:

[exim]

port   = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(exim_main_log)s

I have also added a REGEX into /etc/fail2ban/filter.d/exim.conf

^%(pid)s.* \[<HOST>\] rejected EHLO or HELO

to match entries like:

2019-04-26 15:44:13 H=(User) [102.165.49.64] rejected EHLO or HELO user: Your server with the IP 102.165.49.64 is with helo name (User) configured incorrectly. Email has been blocked. (HELO Error)

The HELO message seem to have stopped appearing in the logs, so it looks like that is working. However, the original Dovecot authentication errors are still appearing in exim/main.log


[root at ollie2 ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     180
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 41
   |- Total banned:     41
   `- Banned IP list:   106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 46.232.112.21 49.87.109.233 52.38.234.254
[root at ollie2 ~]# fail2ban-client status exim
Status for the jail: exim
|- Filter                                                                                                                                                                                                                                    
|  |- Currently failed: 0                                                                                                                                                                                                                    
|  |- Total failed:     0                                                                                                                                                                                                                    
|  `- Journal matches:                                                                                                                                                                                                                       
`- Actions                                                                                                                                                                                                                                   
   |- Currently banned: 4                                                                                                                                                                                                                    
   |- Total banned:     4                                                                                                                                                                                                                    
   `- Banned IP list:   103.114.104.149 185.222.209.71 185.234.217.160 85.222.209.56                                                                                                                                                         
[root at ollie2 ~]# ipset list                                                                                                                                                                                                                  
Name: fail2ban-sshd                                                                                                                                                                                                                          
Type: hash:ip                                                                                                                                                                                                                                
Revision: 4                                                                                                                                                                                                                                  
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000                                                                                                                                                                              
Size in memory: 120                                                                                                                                                                                                                          
References: 0                                                                                                                                                                                                                                
Number of entries: 0                                                                                                                                                                                                                         
Members:                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                             
Name: fail2ban-dovecot                                                                                                                                                                                                                       
Type: hash:ip                                                                                                                                                                                                                                
Revision: 4                                                                                                                                                                                                                                  
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000                                                                                                                                                                              
Size in memory: 3864                                                                                                                                                                                                                         
References: 0                                                                                                                                                                                                                                
Number of entries: 41                                                                                                                                                                                                                        
Members:                                                                                                                                                                                                                                     
185.222.209.56 timeout 4291085                                                                                                                                                                                                               
185.234.217.162 timeout 4291086                                                                                                                                                                                                              
114.106.134.228 timeout 4291075                                                                                                                                                                                                              
45.227.253.100 timeout 4291094                                                                                                                                                                                                               
188.165.238.157 timeout 4291088                                                                                                                                                                                                              
203.2.118.130 timeout 4291088                                                                                                                                                                                                                
140.224.60.165 timeout 4291082                                                                                                                                                                                                               
141.98.80.32 timeout 4291083                                                                                                                                                                                                                 
183.135.168.89 timeout 4291084                                                                                                                                                                                                               
27.156.176.146 timeout 4291092                                                                                                                                                                                                               
46.232.112.21 timeout 4291096                                                                                                                                                                                                                
113.120.143.41 timeout 4291074                                                                                                                                                                                                               
113.120.142.149 timeout 4291073                                                                                                                                                                                                              
117.29.90.228 timeout 4291077                                                                                                                                                                                                                
185.222.209.71 timeout 4291085                                                                                                                                                                                                               
185.234.217.221 timeout 4291087                                                                                                                                                                                                              
117.31.46.4 timeout 4291078
49.87.109.233 timeout 4291097
41.164.192.74 timeout 4291092
121.237.56.154 timeout 4291080
14.29.161.224 timeout 4291081
117.24.39.199 timeout 4291077
120.43.54.45 timeout 4291079
185.36.81.165 timeout 4291087
140.224.61.88 timeout 4291083
210.6.94.23 timeout 4291090
114.238.30.180 timeout 4291076
116.91.166.50 timeout 4291076
106.226.231.159 timeout 4291067
27.156.139.95 timeout 4291091
52.38.234.254 timeout 4291098
122.7.227.53 timeout 4291081
117.60.247.84 timeout 4291078
209.166.164.71 timeout 4291089
185.211.245.198 timeout 4291085
180.146.128.112 timeout 4291084
185.234.217.160 timeout 4291086
211.72.92.124 timeout 4291090
121.233.206.62 timeout 4291080
45.227.253.99 timeout 4291095
119.127.17.82 timeout 4291079

Name: fail2ban-exim
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 504
References: 0
Number of entries: 4
Members:
185.234.217.160 timeout 4291074
185.222.209.71 timeout 4291073
85.222.209.56 timeout 4291075
103.114.104.149 timeout 4291067
[root at ollie2 ~]# 


More information about the CentOS mailing list