[CentOS] faI2ban detecting and banning but nothing happens

Fri Apr 26 13:29:41 UTC 2019
Gary Stainburn <gary.stainburn at ringways.co.uk>

On Saturday 20 April 2019 00:32:43 Pete Biggs wrote:
> What ban action do you use?  If it's something like iptables-multiport, 
> then I wonder if the fact that it's detecting the failures as
> '[dovecot]' means that it's using the dovecot ports, not the exim
> ports, when applying the iptable rule.
> 
> When a host has been banned, can you look at the iptables rules to see
> what is actually being applied.

Hi Pete,

I did wonder that myself.  I have now amended to Dovecot definition in jail.conf to:

[dovecot]

port    = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

I then unbanned and banned each IP address manually with 

for F in 46.232.112.21 106.226.231.159 [snip] 52.38.234.254 ; do
fail2ban-client set dovecot unbanip $F
fail2ban-client set dovecot banip $F
done

which worked. However, having done this, the connections are still getting through to EXIM.

[root at ollie2 ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 6
|  |- Total failed:     199
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 41
   |- Total banned:     82
   `- Banned IP list:   46.232.112.21 106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 49.87.109.233 52.38.234.254
[root at ollie2 ~]# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 120
References: 0
Number of entries: 0
Members:

Name: fail2ban-dovecot
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 3768
References: 0
Number of entries: 41
Members:
185.211.245.198 timeout 4294522
[snip]
45.227.253.99 timeout 4294532
117.60.247.84 timeout 4294514

Name: fail2ban-exim
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 408
References: 0
Number of entries: 3
Members:
185.234.217.160 timeout 4294290
85.222.209.56 timeout 4294291
185.222.209.71 timeout 4294289
[root at ollie2 ~]#