I’m fairly new to Fail2ban and having trouble with errors in the fail2ban.log (2019-08-03 15:37:11,941 fail2ban.utils [562]: ERROR 75b41390 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-noscript) I have tried to remove some jails but just get same error about postfix-sasl, apache-auth and so on. I posted some of the log file. Code: Fail2ban.log 2019-08-03 15:37:11,813 fail2ban.actions [562]: NOTICE [blacklist] Unban 193.16.218.55 2019-08-03 15:37:11,814 fail2ban.actions [562]: NOTICE [blacklist] Unban 202.51.127.153 2019-08-03 15:37:11,941 fail2ban.utils [562]: ERROR 75b41390 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-noscript iptables -w -F f2b-apache-noscript iptables -w -X f2b-apache-noscript 2019-08-03 15:37:11,943 fail2ban.utils [562]: ERROR 75b41390 -- stderr: 'iptables: Too many links.' 2019-08-03 15:37:11,943 fail2ban.utils [562]: ERROR 75b41390 -- returned 1 2019-08-03 15:37:11,950 fail2ban.actions [562]: ERROR Failed to stop jail 'apache-noscript' action 'iptables-multiport': Error stopping action Jail('apache-noscript')/iptables-multiport 2019-08-03 15:37:11,956 fail2ban.jail [562]: INFO Jail 'apache-noscript' stopped 2019-08-03 15:37:11,960 fail2ban.jail [562]: INFO Jail 'apache-modsecurity' stopped 2019-08-03 15:37:11,968 fail2ban.jail [562]: INFO Jail 'postfix-auth' stopped 2019-08-03 15:37:11,991 fail2ban.utils [562]: ERROR 7487e4d0 -- exec: iptables -D INPUT -p tcp -j f2b-blacklist iptables -F f2b-blacklist iptables -X f2b-blacklist 2019-08-03 15:37:11,993 fail2ban.utils [562]: ERROR 7487e4d0 -- stderr: 'iptables: Too many links.' 2019-08-03 15:37:11,993 fail2ban.utils [562]: ERROR 7487e4d0 -- returned 1 2019-08-03 15:37:11,994 fail2ban.actions [562]: ERROR Failed to stop jail 'blacklist' action 'blacklist': Error stopping action Jail('blacklist')/blacklist 2019-08-03 15:37:12,041 fail2ban.utils [562]: ERROR 75bc8b18 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,465,pop3,pop3s,imap,imaps,sieve -j f2b$ iptables -w -F f2b-postfix-sasl iptables -w -X f2b-postfix-sasl 2019-08-03 15:37:12,043 fail2ban.utils [562]: ERROR 75bc8b18 -- stderr: 'iptables: Too many links.' 2019-08-03 15:37:12,043 fail2ban.utils [562]: ERROR 75bc8b18 -- returned 1 2019-08-03 15:37:12,044 fail2ban.actions [562]: ERROR Failed to stop jail 'postfix-sasl' action 'iptables-multiport': Error stopping action Jail('postfix-sasl')/iptables-multiport 2019-08-03 15:37:12,046 fail2ban.jail [562]: INFO Jail 'postfix-sasl' stopped 2019-08-03 15:37:12,048 fail2ban.jail [562]: INFO Jail 'apache-badbots' stopped 2019-08-03 15:37:12,050 fail2ban.jail [562]: INFO Jail 'apache-nohome' stopped 2019-08-03 15:37:12,051 fail2ban.jail [562]: INFO Jail 'blacklist' stopped 2019-08-03 15:37:12,053 fail2ban.jail [562]: INFO Jail 'postfix' stopped 2019-08-03 15:37:12,054 fail2ban.jail [562]: INFO Jail 'apache-shellshock' stopped 2019-08-03 15:37:12,056 fail2ban.jail [562]: INFO Jail 'dovecot' stopped 2019-08-03 15:37:12,057 fail2ban.jail [562]: INFO Jail 'apache-overflows' stopped 2019-08-03 15:37:12,058 fail2ban.jail [562]: INFO Jail 'apache-fakegooglebot' stopped 2019-08-03 15:37:12,060 fail2ban.jail [562]: INFO Jail 'postfix-rbl' stopped 2019-08-03 15:37:12,061 fail2ban.jail [562]: INFO Jail 'apache-botsearch' stopped 2019-08-03 15:37:12,063 fail2ban.jail [562]: INFO Jail 'apache-auth' stopped 2019-08-03 15:37:12,065 fail2ban.database [562]: INFO Connection to database closed. 2019-08-03 15:37:12,066 fail2ban.server [562]: INFO Exiting Fail2ban 2019-08-03 15:37:28,305 fail2ban.server [550]: INFO -------------------------------------------------- 2019-08-03 15:37:28,309 fail2ban.server [550]: INFO Starting Fail2ban v0.11.0.dev3 2019-08-03 15:37:28,320 fail2ban.observer [550]: INFO Observer start... 2019-08-03 15:37:28,801 fail2ban.database [550]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2019-08-03 15:37:28,856 fail2ban.jail [550]: INFO Creating new jail 'sshd' 2019-08-03 15:37:28,886 fail2ban.jail [550]: INFO Jail 'sshd' uses poller {} 2019-08-03 15:37:28,888 fail2ban.jail [550]: INFO Initiated 'polling' backend 2019-08-03 15:37:28,892 fail2ban.filter [550]: INFO maxLines: 1 2019-08-03 15:37:29,569 fail2ban.filter [550]: INFO Added logfile: '/var/log/auth.log' (pos = 140088, hash = 327785e3aa9dad1a8b5e2feef6a0d09a) 2019-08-03 15:37:29,571 fail2ban.filter [550]: INFO maxRetry: 2 2019-08-03 15:37:29,573 fail2ban.filter [550]: INFO encoding: utf-8 2019-08-03 15:37:29,575 fail2ban.actions [550]: INFO banTime: 3600 2019-08-03 15:37:29,577 fail2ban.filter [550]: INFO findtime: 3600 postfix-sasl jail is not banning repeated tries I have posted some of the log file. Code: below Mail.log Jul 21 21:11:56 guthes postfix/anvil[26726]: statistics: max connection rate 1/60s for (smtps:81.174.151.90) at Jul 21 21:06:33 Jul 21 21:11:56 guthes postfix/anvil[26726]: statistics: max connection count 1 for (smtps:81.174.151.90) at Jul 21 21:06:33 Jul 21 21:11:56 guthes postfix/anvil[26726]: statistics: max cache size 2 at Jul 21 21:08:35 Jul 21 21:27:49 guthes postfix/smtpd[28889]: connect from unknown[185.234.218.40] Jul 21 21:27:49 guthes postfix/smtpd[28889]: disconnect from unknown[185.234.218.40] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 21 21:31:09 guthes postfix/anvil[28891]: statistics: max connection rate 1/60s for (smtp:185.234.218.40) at Jul 21 21:27:49 Jul 21 21:31:09 guthes postfix/anvil[28891]: statistics: max connection count 1 for (smtp:185.234.218.40) at Jul 21 21:27:49 Jul 21 21:31:09 guthes postfix/anvil[28891]: statistics: max cache size 1 at Jul 21 21:27:49 Jul 21 21:47:58 guthes postfix/smtpd[30911]: connect from unknown[185.234.218.40] Jul 21 21:47:59 guthes postfix/smtpd[30911]: disconnect from unknown[185.234.218.40] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 21 21:51:19 guthes postfix/anvil[30913]: statistics: max connection rate 1/60s for (smtp:185.234.218.40) at Jul 21 21:47:58 Jul 21 21:51:19 guthes postfix/anvil[30913]: statistics: max connection count 1 for (smtp:185.234.218.40) at Jul 21 21:47:58 Jul 21 21:51:19 guthes postfix/anvil[30913]: statistics: max cache size 1 at Jul 21 21:47:58 Jul 21 21:52:41 guthes postfix/smtpd[31368]: connect from unknown[37.49.227.220] Jul 21 21:52:41 guthes postfix/smtpd[31368]: NOQUEUE: reject: RCPT from unknown[37.49.227.220]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [37.49.227.220]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<windows-2012-r2-server-rdp> Jul 21 21:52:41 guthes postfix/smtpd[31368]: disconnect from unknown[37.49.227.220] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5 Jul 21 21:56:01 guthes postfix/anvil[31370]: statistics: max connection rate 1/60s for (smtp:37.49.227.220) at Jul 21 21:52:41 Jul 21 21:56:01 guthes postfix/anvil[31370]: statistics: max connection count 1 for (smtp:37.49.227.220) at Jul 21 21:52:41 Jul 21 21:56:01 guthes postfix/anvil[31370]: statistics: max cache size 1 at Jul 21 21:52:41 Jul 21 22:06:39 guthes postfix/smtpd[307]: connect from unknown[185.234.218.40] Jul 21 22:06:40 guthes postfix/smtpd[307]: disconnect from unknown[185.234.218.40] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 21 22:10:00 guthes postfix/anvil[309]: statistics: max connection rate 1/60s for (smtp:185.234.218.40) at Jul 21 22:06:39 Jul 21 22:10:00 guthes postfix/anvil[309]: statistics: max connection count 1 for (smtp:185.234.218.40) at Jul 21 22:06:39 Jul 21 22:10:00 guthes postfix/anvil[309]: statistics: max cache size 1 at Jul 21 22:06:39 Jul 21 22:25:08 guthes postfix/smtpd[2302]: connect from unknown[185.234.218.40] Jul 21 22:25:08 guthes postfix/smtpd[2302]: disconnect from unknown[185.234.218.40] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 21 22:28:28 guthes postfix/anvil[2304]: statistics: max connection rate 1/60s for (smtp:185.234.218.40) at Jul 21 22:25:08 Jul 21 22:28:28 guthes postfix/anvil[2304]: statistics: max connection count 1 for (smtp:185.234.218.40) at Jul 21 22:25:08 Jul 21 22:28:28 guthes postfix/anvil[2304]: statistics: max cache size 1 at Jul 21 22:25:08 Jul 21 22:43:14 guthes postfix/smtpd[4114]: connect from unknown[185.234.218.40] Jul 21 22:43:14 guthes postfix/smtpd[4114]: disconnect from unknown[185.234.218.40] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 21 22:46:35 guthes postfix/anvil[4116]: statistics: max connection rate 1/60s for (smtp:185.234.218.40) at Jul 21 22:43:14 Jul 21 22:46:35 guthes postfix/anvil[4116]: statistics: max connection count 1 for (smtp:185.234.218.40) at Jul 21 22:43:14 Jul 21 22:46:35 guthes postfix/anvil[4116]: statistics: max cache size 1 at Jul 21 22:43:14 I hope someone can help me out with the problems.
I found the problem with the errors in the fail2ban.log. The iptables had some how change the file permission to 0444 read only. I the mail.log file I still can not see why the fail2ban jail postfix-sasl is not banning. Code: [postfix-sasl] enabled = true findtime = 1800 #findtime = 10800 bantime = -1 filter = postfix-sasl port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s action = iptables-multiport[name=postfix-sasl, logpath = /var/log/mail.log backend = %(postfix_backend)s maxretry = 2
I will also comment that those fail2ban settings are absolutely inappropriate for any normal mail server. If a legitimate user mistypes their email address or their password, or makes various other errors and fails sasl login 2 times (in 30 minutes), they are banned forever. Maybe you have a special case, eg. a server that doesn't have real/normal users, and/or a limited IP range you ignore in default config section, but that certainly wouldn't work in most places.
Thanks Jesse. My error when copying the postfix-sasl below is the jail I'm using, but still can not get it to work. Code: [postfix-sasl] enabled = true findtime = 10800 bantime = 7200 port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl action = iptables-multiport[name=postfix-sasl, port="http,https,smtp,submission,465,pop3,pop3s,imap,imaps,sieve", protocol=tcp] ##logpath = %(postfix_log)s logpath = /var/log/mail.log backend = %(postfix_backend)s maxretry = 2 Which port is best to use 587 or 465
That looks a little better, I don't know right offhand why it's failing. Try restarting fail2ban, then check fail2ban.log and see if it complained about postfix-sasl jail at all, or if it appears to be running OK like your others. If fail2ban.log indicates it's OK, create a couple sasl failures, and see if it shows up in fail2ban.log. If yes, the filter matched, and the problem might be in the iptables-multiport setup. If no, what do you have for your filter.d/postfix-sasl.conf (or .local) file, and what showed up for your sasl failures in mail.log? Maybe your regex doesn't match or something....
