Hello, I have a perfect server as per Debian 9, apache setup. I noticed that fail2ban does not ban any of the hackers for postfix and dovecot but rather the Fail2ban log says it found them as below: Code: 2019-04-28 06:33:57,272 fail2ban.filter [32065]: INFO [dovecot] Found 89.248.171.x 2019-04-28 06:34:31,031 fail2ban.filter [32065]: INFO [postfix-sasl] Found 45.125.66.y 2019-04-28 06:37:53,470 fail2ban.filter [32065]: INFO [dovecot] Found 89.248.171.x 2019-04-28 06:57:10,013 fail2ban.filter [32065]: INFO [postfix-sasl] Found 45.125.66.y 2019-04-28 07:08:44,144 fail2ban.filter [32065]: INFO [postfix-sasl] Found 190.117.147.z Why it say found but not banning after 3 times as per the fail2ban config? Below is test config with fail2ban-regex Code: root@srv:/var/log# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf Running tests ============= Use failregex line : /etc/fail2ban/filter.d/sasl.conf Traceback (most recent call last): File "/usr/bin/fail2ban-regex", line 34, in <module> exec_command_line() File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 599, in exec_command_line if not fail2banRegex.start(opts, args): File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 499, in start if not self.readRegex(cmd_regex, 'fail'): File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 320, in readRegex 'add%sRegex' % regextype.title())(regex.getFailRegex()) File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 113, in addFailRegex raise e File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 105, in addFailRegex regex = FailRegex(value) File "/usr/lib/python3/dist-packages/fail2ban/server/failregex.py", line 215, in __init__ raise RegexException("No 'host' group in '%s'" % self._regex) fail2ban.server.failregex.RegexException: No 'host' group in '/etc/fail2ban/filter.d/sasl.conf' Here is what is the fail2ban config /etc/fail2ban/jail.local Code: [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot logpath = /var/log/mail.log maxretry = 5 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 3 What could be done to ban the email hackers? Thanks,
That fail2ban-regex command crashes. Is the /etc/fail2ban/filter.d/sasl.conf somehow faulty? It says found every time there is a connection attempt from that IP-address. Are you sure there have been more than 3 failed logins from the same IP-address in the time period and the IP does not get banned? What show: Code: fail2ban-client ping ail2ban-client status fail2ban-client status dovecot fail2ban-client status postfix-sasl
Thanks Taleman, Here are the results. Code: root@srv:/var/log# fail2ban-client ping Server replied: pong Code: root@srv:/var/log# fail2ban-client status Status |- Number of jail: 4 `- Jail list: dovecot, postfix-sasl, pure-ftpd, sshd Code: root@srv:/var/log# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 0 | |- Total failed: 401 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 2 `- Banned IP list: Code: root@srv:/var/log# fail2ban-client status postfix-sasl Status for the jail: postfix-sasl |- Filter | |- Currently failed: 2 | |- Total failed: 28321 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 7849 `- Banned IP list: