CentOS - Apr 2019 - faI2ban detecting and banning but nothing happens

On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> On 4/19/2019 5:30 AM, Gary Stainburn wrote:
> > I've followed one of the pages on line specifically for installing
fail2ban on
> > Centos 7 and all looks fine.
> 
> Which page? It would help to see what they advised.
> On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> On 4/19/2019 5:30 AM, Gary Stainburn wrote:
> > I've followed one of the pages on line specifically for installing
> > fail2ban on Centos 7 and all looks fine.
>
> Which page? It would help to see what they advised.
I think I worked from two pages. One I believe was 

https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/

I can't remember the other one. I have removed all of the manual amendments
so am now basically set up as initially installed.

/var/log/fail2ban.log is showing that it's working:

2019-04-26 11:41:08,850 fail2ban.filter [7853]: INFO [dovecot] Found
155.133.4.195
2019-04-26 11:41:09,651 fail2ban.filter [7853]: INFO [dovecot] Found
185.222.209.56
2019-04-26 11:41:11,397 fail2ban.filter [7853]: INFO [dovecot] Found
185.222.209.56
2019-04-26 11:41:11,909 fail2ban.filter [7853]: INFO [dovecot] Found
185.222.209.56
2019-04-26 11:41:12,873 fail2ban.actions [7853]: NOTICE [dovecot] 185.222.209.56
already banned
2019-04-26 11:41:24,306 fail2ban.filter [7853]: INFO [dovecot] Found
185.222.209.56
2019-04-26 11:41:25,010 fail2ban.filter [7853]: INFO [dovecot] Found
46.232.112.21
2019-04-26 11:41:36,035 fail2ban.filter [7853]: INFO [dovecot] Found
46.232.112.21
2019-04-26 11:41:40,564 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100
2019-04-26 11:41:50,779 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100
2019-04-26 11:41:50,915 fail2ban.actions [7853]: NOTICE [dovecot] 45.227.253.100
already banned
2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found
185.36.81.165
2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot] 185.36.81.165
already banned
2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100
2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100

and yet the IP is still getting through to exim:

2019-04-26 11:41:39 dovecot_plain authenticator failed for ([46.232.112.21])
[46.232.112.21]: 535 Incorrect authentication data (set_id=aa26fa5)
2019-04-26 11:41:44 dovecot_plain authenticator failed for ([45.227.253.100])
[45.227.253.100]: 535 Incorrect authentication data (set_id=*********)
2019-04-26 11:41:55 dovecot_plain authenticator failed for ([45.227.253.100])
[45.227.253.100]: 535 Incorrect authentication data (set_id=********)
2019-04-26 11:43:27 dovecot_login authenticator failed for (88.211.105.31)
[185.36.81.165]: 535 Incorrect authentication data (set_id=**********)
2019-04-26 11:44:13 dovecot_plain authenticator failed for ([45.227.253.100])
[45.227.253.100]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:44:23 dovecot_plain authenticator failed for ([45.227.253.100])
[45.227.253.100]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:45:19 dovecot_plain authenticator failed for ([185.222.209.56])
[185.222.209.56]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:45:35 dovecot_plain authenticator failed for ([185.222.209.56])
[185.222.209.56]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:46:36 dovecot_plain authenticator failed for ([185.222.209.56])
[185.222.209.56]: 535 Incorrect authentication data (set_id=****************)
2019-04-26 11:46:37 dovecot_plain authenticator failed for ([45.227.253.100])
[45.227.253.100]: 535 Incorrect authentication data (set_id=****************)

> 
> 2019-04-26 11:43:23,603 fail2ban.filter [7853]: INFO [dovecot] Found
185.36.81.165
> 2019-04-26 11:43:24,016 fail2ban.actions [7853]: NOTICE [dovecot]
185.36.81.165 already banned
> 2019-04-26 11:44:09,734 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100
> 2019-04-26 11:44:19,887 fail2ban.filter [7853]: INFO [dovecot] Found
45.227.253.100
> 
> and yet the IP is still getting through to exim:
Yes, as I said before Fail2Ban is detecting it as a dovecot failure, so
it is probably blocking the dovecot ports, not the exim/smtp ports. 
The "already banned" is a give away. You can verify that by looking at
the blocked iptable ports when a host has been banned.

You can either sort out why it's detecting it as dovecot and not exim
or you can modify the fail2ban dovecot config in jail.local by adding
the smtp port to the list of ports.

P.

P? Fri, 26 Apr 2019 11:50:47 +0100
Gary Stainburn <gary.stainburn at ringways.co.uk>
skrev:
> On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> > On 4/19/2019 5:30 AM, Gary Stainburn wrote:  
> > > I've followed one of the pages on line specifically for
> > > installing fail2ban on Centos 7 and all looks fine.  
> > 
> > Which page? It would help to see what they advised.
> > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote:
> > On 4/19/2019 5:30 AM, Gary Stainburn wrote:  
> > > I've followed one of the pages on line specifically for
installing
> > > fail2ban on Centos 7 and all looks fine.  
> >
> > Which page? It would help to see what they advised.  
> 
> I think I worked from two pages. One I believe was 
> 
> https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/
> 
> I can't remember the other one. I have removed all of the manual
> amendments so am now basically set up as initially installed.
> 
> /var/log/fail2ban.log is showing that it's working:
I have seem similar odd behaviour with f2b with other filters. 
Try to uninstall the package
fail2ban-systemd
and stop and start fail2ban again.
This might change its behavior to the better.

  Allan.

> > 
> > /var/log/fail2ban.log is showing that it's working:
> 
> I have seem similar odd behaviour with f2b with other filters. 
> Try to uninstall the package
> fail2ban-systemd
> and stop and start fail2ban again.
> This might change its behavior to the better.
> 
The fail2ban-systemd package configures fail2ban to use systemd journal
for log input.  The OP can see that it is detecting the transgressions,
so the input side of things is not the issue.  What they appear to be
having problems with is the banning process.

Personally, I don't use 'firewallcmd-ipset' for banaction, I use
'iptables-multiport'. But the OP needs to look at what exactly is
happening to the firewall configuration when an IP is banned.

P.

On 4/26/19 3:50 AM, Gary Stainburn wrote:
> I can't remember the other one. I have removed all of the manual
amendments so am now basically set up as initially installed.

This is my process for fail2ban:

1: "yum install fail2ban"? This installs fail2ban and
fail2ban-firewalld.

2: install /etc/fail2ban/jail.local.? This file enables the matching 
rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures.

 ??? [sshd]
 ??? enabled = true
 ??? maxretry = 10

3: install /etc/fail2ban/action.d/firewallcmd-ipset.local.? This file 
overrides the default action defined in 
/etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in 
/etc/fail2ban/jail.d/00-firewalld.conf.? The new definition blocks the 
source address from *all* TCP ports rather than just the ports defined 
for the jail (in /etc/fail2ban/jail.conf).? You might also choose to 
remove the "-p <protocol>" spec to block all access instead of
just TCP
access.

 ??? [Definition]

 ??? actionstart = ipset create fail2ban-<name> hash:ip timeout
<bantime>
 ????????????? firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p 
<protocol> -m set --match-set fail2ban-<name> src -j
<blocktype>

 ??? actionstop = firewall-cmd --direct --remove-rule ipv4 filter 
<chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src
-j
<blocktype>
 ???????????? ipset flush fail2ban-<name>
 ???????????? ipset destroy fail2ban-<name>

4: systemctl enable fail2ban


That's one approach.? I believe that you could modify fewer files by 
setting "port = 0:65535" in your definition in "jail.local"
and not
install firewallcmd-ipset.local.

On Monday 29 April 2019 02:21:05 Gordon Messmer wrote:
> That's one approach.? I believe that you could modify fewer files by 
> setting "port = 0:65535" in your definition in
"jail.local" and not
> install firewallcmd-ipset.local.
I have just tried this, and re-started fail2ban. It does not seem to have
worked.

I have looked at /var/log/exim/main.log and found lots of lines like 

2019-04-29 09:39:15 dovecot_plain authenticator failed for
(hosting-by.directwebhost.org.) [45.227.253.100]: 535 Incorrect authentication
data

which are still not being stopped.   I have run the commands

[root at ollie2 ~]# fail2ban-client set exim banip 45.227.253.100
45.227.253.100
[root at ollie2 ~]# fail2ban-client set exim banip 46.232.112.21
46.232.112.21
[root at ollie2 ~]#

and the lines are still appearing.  Here is my jail.local. (I did also try
directly editing jail.conf to update the port commands).



[DEFAULT]
# set a higher bantime and findtime
bantime=3600000
findtime=1200
# set the IP's to ignore / not ban
ignoreip = 127.0.0.1/8 10.0.0.0/8
# set max number of attempts
maxretry = 3
# set mail receiver
destemail = fail2ban at ringways.co.uk
sender = fail2ban at ringways.co.uk
# enable sending mails, whois and logfile sections by choosing the
"action_mwl" template,
# see jail.conf for details
action = %(action_mwl)s

[exim]
port    = 0:65535

[dovecot]
port    = 0:65535