Miguel Gonzalez
2019-Apr-19 15:07 UTC
[CentOS] faI2ban detecting and banning but nothing happens
I find csf/lfd much easier to configure and can be used in combination with fail2ban. Gary Stainburn <gary.stainburn at ringways.co.uk> wrote:>I've followed one of the pages on line specifically for installing fail2ban on >Centos 7 and all looks fine. > >I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on >another page: > > \[<HOST>\]: 535 Incorrect authentication data > >which appears to be successfully matchnig lines in /var/log/exim/mail.log such >as > >2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) >[185.222.209.71]: 535 Incorrect authentication data > >/var/log/fail2ban.log, and the generarted emails all say that the regex is >working and the IP addresses are getting banned. > >2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] >Found 45.227.253.99 >2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban >45.227.253.99 >2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] >Found 45.227.253.99 >2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] >Found 185.222.209.71 >2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] >Unban 185.211.245.198 >2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] >Unban 185.234.217.221 >2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] >Found 141.98.80.32 >2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] >Found 185.234.217.162 >2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban >185.234.217.162 >2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] >Found 141.98.80.32 >2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] >Found 185.234.217.221 >2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] >Found 185.211.245.198 >2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban >185.211.245.198 >2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] >Found 185.211.245.198 > > > >However, once an IP address is banned, it continues to appear >in /var/log/exim/main.log which would imply that the ban action is not >working. > >(Also, I don't understand why it's matching against dovecont ewhen the regex >is in exim.conf) > >I've found lots of pages relating to regex errors which this obviously isn't >but I can't seem to find pages about why the ban doesn't work. Does anyone >have any ideas? >_______________________________________________ >CentOS mailing list >CentOS at centos.org >https://lists.centos.org/mailman/listinfo/centos