I have fail2ban on my mail server monitoring Dovecot and Exim. I have noticed that it has stopped banning IP's. I have seen in /var/log/fail2ban.log: 2020-04-07 09:42:05,875 fail2ban.filter [16138]: INFO [dovecot] Found 77.40.61.224 - 2020-04-07 09:42:05 2020-04-07 09:42:06,408 fail2ban.actions [16138]: NOTICE [dovecot] Ban 77.40.61.224 2020-04-07 09:42:06,981 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- exec: ipset create f2b-dovecot hash:ip timeout 3600000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set f2b-dovecot src -j REJECT --reject-with icmp-port-unreachable 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "ipset v7.1: Syntax error: '3600000' is out of range 0-2147483" 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-dovecot doesn't exist." 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: '' 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: 'Error occurred at line: 2' 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information." 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: '' 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- returned 13 In /var/log/firewalld I got 2020-04-07 09:42:06 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-dovecot doesn't exist. Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Looking back at my logs, this has been going on some time. Any advice on fixing this would be appreciated
On 4/7/20 11:54 AM, Gary Stainburn wrote:> I have fail2ban on my mail server monitoring Dovecot and Exim. > > I have noticed that it has stopped banning IP's. I have seen in /var/log/fail2ban.log: > > 2020-04-07 09:42:05,875 fail2ban.filter [16138]: INFO [dovecot] Found 77.40.61.224 - 2020-04-07 09:42:05 > 2020-04-07 09:42:06,408 fail2ban.actions [16138]: NOTICE [dovecot] Ban 77.40.61.224 > 2020-04-07 09:42:06,981 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- exec: ipset create f2b-dovecot hash:ip timeout 3600000 > firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set f2b-dovecot src -j REJECT --reject-with icmp-port-unreachable > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "ipset v7.1: Syntax error: '3600000' is out of range 0-2147483" > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-dovecot doesn't exist." > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: '' > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: 'Error occurred at line: 2' > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information." > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: '' > 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- returned 13 > > In /var/log/firewalld I got > > 2020-04-07 09:42:06 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-dovecot doesn't exist. > > Error occurred at line: 2 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > > Looking back at my logs, this has been going on some time. Any advice on fixing this would be appreciated > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos"ipset v7.1: Syntax error: '3600000' is out of range 0-2147483" This is the problem. You could try to reduce the 'ban' time (for whatever rules you have for dovecot) so that it would be in that interval and restart fail2ban service. -- Marius
Am 07.04.2020 um 10:54 schrieb Gary Stainburn:> 2020-04-07 09:42:06,981 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- exec: ipset create f2b-dovecot hash:ip timeout 3600000[ ... ]> 2020-04-07 09:42:06,982 fail2ban.utils [16138]: ERROR 7ff736d6f930 -- stderr: "ipset v7.1: Syntax error: '3600000' is out of range 0-2147483"Set the timeout to a valid value within in named range. Alexander
On Tuesday 07 April 2020 10:09:07 Marius ROMAN wrote:> "ipset v7.1: Syntax error: '3600000' is out of range 0-2147483" > This is the problem. You could try to reduce the 'ban' time (for whatever rules you have for dovecot) so that it would be in that interval and restart fail2ban service. >Thanks to the help from Marius I no longer get the error and fail2ban appears to be working. I am still having troubhles with my firewall. I have a command firewall_ban which is: firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='$1' reject " I copied this from a web posting, and I it is supposed to do what I need, which is ban specific IP addresses. However, when I tried to ban an IP I grabbed from my EXIM logs I got an error [root at ollie2 ~]# firewall_ban 46.17.96.82 Warning: ALREADY_ENABLED: rule family='ipv4' source address='46.17.96.82' reject success [root at ollie2 ~]# I was not surprised by this error as I did think that I had already banned this address. However, this does now beg the question, why am I still seeing in my exim/main.log: 2020-04-08 13:34:41 H=(slot0.iso-taem.com) [46.17.96.82] sender verify defer for <administrator at iso-taem.com>: host lookup did not complete 2020-04-08 13:34:41 H=(slot0.iso-taem.com) [46.17.96.82] F=<administrator at iso-taem.com> temporarily rejected RCPT <auser at ringways.co.uk>: Could not complete sender verify Also, I am trying to add a failregex to match the following lines, but for some reason my attempts don't work. 2020-04-08 13:34:42 H=ip3.ip-144-217-187.net (swNLFAhhb9) [144.217.187.3] rejected EHLO or HELO swnlfahhb9: Your server with the IP 144.217.187.3 is with helo name (swNLFAhhb9) configured incorrectly. Email has been blocked. (HELO Error) My best attemp is this one, and when I try it with fail2ban-regex it matches every time, but in real life, it doesn't trigger banning anyone ^%(pid)s.* \[<HOST>\] rejected EHLO or HELO They appear to match is I run fail2ban-regex but in real life, they're not triggering bans.