[CentOS] faI2ban detecting and banning but nothing happens

Fri Apr 19 15:07:53 UTC 2019
Miguel Gonzalez <miguel_3_gonzalez at yahoo.es>

I find csf/lfd much easier to configure and can be used in combination with fail2ban.

Gary Stainburn <gary.stainburn at ringways.co.uk> wrote:

>I've followed one of the pages on line specifically for installing fail2ban on 
>Centos 7 and all looks fine.
>
>I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on 
>another page:
>
>       \[<HOST>\]: 535 Incorrect authentication data
>
>which appears to be successfully matchnig lines in /var/log/exim/mail.log such 
>as
>
>2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) 
>[185.222.209.71]: 535 Incorrect authentication data
>
>/var/log/fail2ban.log, and the generarted emails all say that the regex is 
>working and the IP addresses are getting banned.
>
>2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 45.227.253.99
>2019-04-19 13:06:32,607 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
>45.227.253.99
>2019-04-19 13:06:32,954 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 45.227.253.99
>2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.222.209.71
>2019-04-19 13:07:16,973 fail2ban.actions        [21954]: NOTICE  [dovecot] 
>Unban 185.211.245.198
>2019-04-19 13:07:42,108 fail2ban.actions        [21954]: NOTICE  [dovecot] 
>Unban 185.234.217.221
>2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 141.98.80.32
>2019-04-19 13:08:11,299 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.234.217.162
>2019-04-19 13:08:12,249 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
>185.234.217.162
>2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 141.98.80.32
>2019-04-19 13:08:22,092 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.234.217.221
>2019-04-19 13:09:18,178 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.211.245.198
>2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.211.245.198
>2019-04-19 13:09:30,752 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
>185.211.245.198
>2019-04-19 13:10:48,248 fail2ban.filter         [21954]: INFO    [dovecot] 
>Found 185.211.245.198
>
>
>
>However, once an IP address is banned, it continues to appear 
>in /var/log/exim/main.log which would imply that the ban action is not 
>working.
>
>(Also, I don't understand why it's matching against dovecont ewhen the regex 
>is in exim.conf)
>
>I've found lots of pages relating to regex errors which this obviously isn't 
>but I can't seem to find pages about why the ban doesn't work. Does anyone 
>have any ideas?
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>https://lists.centos.org/mailman/listinfo/centos