fail2ban something unusual

Discussion in 'Installation/Configuration' started by pawan, Jul 22, 2012.

  1. pawan

    pawan Member

    While everything looks Ok. Fail2ban status shows running.
    Yet it appears like something is wrong there.

    Reason being my mail.warn log files were getting flooded with unwanted traffic and failed attempts.

    Now after proper activation of fail2ban, the mail.warn log appears to be almost dead slow.

    It looks very strange that just by correcting fail2ban all the bots have gone away.
    There is no ban or unban of ips in the fail2ban log.

    it appears that the events are not getting logged properly.

    How I can make sure that everything is OK.

    Thanks.
     
    pawan, Jul 22, 2012
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at the fail2ban.log file, you will see all ban / unban actions there.
     
    till, Jul 23, 2012
    #2
  3. pawan

    pawan Member

    Yes you are right. actions do now show for fail2ban in ISPCONFIG logs and fail2ban logs as well.
    But now there is a new problem.
    The mail.warn log shows
    Whereas fail2ban is not banning this IP, which has a repeated failue. Below is the copy of the fail2ban log

    Any clue, why this IP with multiple failures is not getting banned?
     
    pawan, Jul 23, 2012
    #3
  4. pawan

    pawan Member

    Hi Till
    I have observed that is only the SASL authentication failure, where fail2ban is not banning the IP
    Please help, where I should look for?
     
    pawan, Jul 25, 2012
    #4
  5. falko

    falko Super Moderator Howtoforge Staff

    Can you post your saslauthd filter rule from fail2ban?
     
    falko, Jul 26, 2012
    #5
  6. pawan

    pawan Member

    Thanks Falko. I am giving below the contents of sasl.conf in filter.d folder.

    Is there any other file called saslauthd filter file?

    Code:
    # Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$


Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
#ignoreregex =
     
    pawan, Jul 26, 2012
    #6
  7. falko

    falko Super Moderator Howtoforge Staff

    Can you try
    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    instead?
     
    falko, Jul 27, 2012
    #7
  8. pawan

    pawan Member

    Thanks
    Your suggestion has resolved the Problem.
     
    pawan, Jul 30, 2012
    #8
  9. baskin

    baskin Member

    I'm getting the following on fail2ban log:

    Code:
    2012-12-18 16:33:49,518 fail2ban.actions: WARNING [courierpop3] Ban 122.225.36.98
2012-12-18 16:33:49,528 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
2012-12-18 16:33:49,529 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2012-12-18 16:33:49,543 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100
2012-12-18 16:43:50,298 fail2ban.actions: WARNING [courierpop3] Unban 122.225.36.98
    Are the errors something to worry about?

    Thanks in advance.
     
    baskin, Dec 18, 2012
    #9

Share This Page