Hello everyone, I have a problem with UFW and fail2ban working together. Probably I've messed up something in the configuration because of a lack of understanding. Ok so my problem is that when fail2ban detects a bruteforce on my mail server it "bans" the IP, but after checking the logs I can see that some IP's are still trying to log. My aim is when I see a bot trying to bruteforce me after 1 attemp to be banned for X time on all ports. Here is my jail.local configuration file for fail2ban: Code: [DEFAULT] bantime = 604800 port=0:65535 [dovecot] banaction = ufw enabled = true filter = dovecot logpath = /var/log/mail.log maxretry = 1 findtime = 7200 [postfix-sasl] banaction = ufw enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl logpath = /var/log/mail.log maxretry = 1 findtime = 7200 [sshd] banaction = ufw enabled = true port = 7080 filter = sshd logpath = /var/log/auth.log maxretry = 2 findtime = 7200 This is my action configuration file for UFW located at /etc/fail2ban/action/ufw.conf : Code: [Definition] actionstart = actionstop = actioncheck = actionban = ufw deny from <ip> to any actionunban = ufw delete deny from <ip> to any This is how my postfix-sasl filter looks like: Code: [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd # failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$ # Author: Yaroslav Halchenko ignoreregex = Dovecot filter configuration file: Code: [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowe$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=dovecot.service When I enter ufw status (removed IP addresses I don't wanna name and shame): Code: root@mail-1:/etc/fail2ban# ufw status Status: active To Action From -- ------ ---- 25/tcp ALLOW Anywhere 110/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 7080/tcp ALLOW Anywhere 224.0.0.1 ALLOW 192.168.1.1 Anywhere DENY xxx.xx.xxx.xx Anywhere DENY xxx.xxx.xx.xxx Anywhere DENY xxx.xxx.xxx.xx Anywhere DENY xxx.xxx.xxx.xx Anywhere DENY xxx.xxx.xxx.xx Anywhere DENY xxx.xxx.xxx.xx [...] In ISPConfig monitor when I click on Mail Warnings I see things like this all the time (removed IPs/Hostnames): Code: Sep 7 12:53:50 mail-1 postfix/smtpd[31719]: warning: unknown[xx.xxx.xxx.xxx]: SASL Login authentication failed: UGFzc3dvcmQ6 Sep 7 12:55:50 mail-1 postfix/smtpd[31719]: warning: hostname example.com does not resolve to address xxx.xx.xxx.xxx In fail2ban log I see this: Code: 2017-09-07 13:14:02,006 fail2ban.filter [960]: INFO [postfix-sasl] Found xxx.xx.xxx.xx 2017-09-07 13:14:02,278 fail2ban.actions [960]: NOTICE [postfix-sasl] xxx.xx.xxx.xx already banned Well if guys/gals need more information, please ask and I will try to deliver. Thanks in advance for the help!
just wondering, have you adjusted the bantime aswell? b/c debian set default bantime to uhm 600 seconds, after that the ban gets removed
