CentOS - Apr 2019 - faI2ban detecting and banning but nothing happens

On Monday 29 April 2019 02:21:05 Gordon Messmer wrote:
> That's one approach.? I believe that you could modify fewer files by 
> setting "port = 0:65535" in your definition in
"jail.local" and not
> install firewallcmd-ipset.local.
I have just tried this, and re-started fail2ban. It does not seem to have
worked.

I have looked at /var/log/exim/main.log and found lots of lines like 

2019-04-29 09:39:15 dovecot_plain authenticator failed for
(hosting-by.directwebhost.org.) [45.227.253.100]: 535 Incorrect authentication
data

which are still not being stopped.   I have run the commands

[root at ollie2 ~]# fail2ban-client set exim banip 45.227.253.100
45.227.253.100
[root at ollie2 ~]# fail2ban-client set exim banip 46.232.112.21
46.232.112.21
[root at ollie2 ~]#

and the lines are still appearing.  Here is my jail.local. (I did also try
directly editing jail.conf to update the port commands).



[DEFAULT]
# set a higher bantime and findtime
bantime=3600000
findtime=1200
# set the IP's to ignore / not ban
ignoreip = 127.0.0.1/8 10.0.0.0/8
# set max number of attempts
maxretry = 3
# set mail receiver
destemail = fail2ban at ringways.co.uk
sender = fail2ban at ringways.co.uk
# enable sending mails, whois and logfile sections by choosing the
"action_mwl" template,
# see jail.conf for details
action = %(action_mwl)s

[exim]
port    = 0:65535

[dovecot]
port    = 0:65535

On 4/29/19 1:44 AM, Gary Stainburn wrote:
> and the lines are still appearing.  Here is my jail.local. (I did also try
directly editing jail.conf to update the port commands).
>
>
> [exim]
> port    = 0:65535

If that's all that's in jail.local, then the jail shouldn't be
enabled.?
They're off by default.? I'd suggest that you remove fail2ban 
completely.? Remove the packages, and then delete /etc/fail2ban, and 
start again.

When you're done, look at the output of "iptables -n -L
INPUT_direct":

# iptables -n -L INPUT_direct
Chain INPUT_direct (1 references)
target???? prot opt source?????????????? destination
REJECT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0 match-set 
fail2ban-sshd src reject-with icmp-port-unreachable

On Monday 29 April 2019 17:21:54 Gordon Messmer wrote:
> On 4/29/19 1:44 AM, Gary Stainburn wrote:
> > and the lines are still appearing.  Here is my jail.local. (I did also
try directly editing jail.conf to update the port commands).
> >
> >
> > [exim]
> > port    = 0:65535
> 
> 
> If that's all that's in jail.local, then the jail shouldn't be
enabled.?
> They're off by default.? I'd suggest that you remove fail2ban 
> completely.? Remove the packages, and then delete /etc/fail2ban, and 
> start again.
> 
> When you're done, look at the output of "iptables -n -L
INPUT_direct":
> 
> # iptables -n -L INPUT_direct
> Chain INPUT_direct (1 references)
> target???? prot opt source?????????????? destination
> REJECT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0 match-set 
> fail2ban-sshd src reject-with icmp-port-unreachable
> 
My jail.conf contains the following.  What I included above was jail.local

[dovecot]

port    = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[exim]

port   = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(exim_main_log)s


I was also coming to the conclusion that it was time to start again. I'll
let you know how I get on

Gary