Hello everyone, lm pretty new at linux administration and l wanted to protect my mail server. Only l use this server for mail and studying. Hopefuly someone can point where l made a mistake, thank you. l left fail2ban for couple of days to work and l got this result: Status for the jail: dovecot |- Filter | |- Currently failed: 0 | |- Total failed: 35 ( but none of these were banned? ) | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 212.200.247.126 ( I tested it via phone ) Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 34 ( none of this banned? ) | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: but fail2ban.log said: 2020-04-13 18:25:13,118 fail2ban.filter [1589]: INFO [dovecot] Found 193.169.255.130 - 2020-04-13 18:25:12 2020-04-13 18:25:17,276 fail2ban.filter [1589]: INFO [postfix-sasl] Found 193.169.255.130 - 2020-04-13 18:25:17 2020-04-13 19:32:43,735 fail2ban.filter [1589]: INFO [dovecot] Found 193.169.255.130 - 2020-04-13 19:32:43 2020-04-13 19:32:47,035 fail2ban.filter [1589]: INFO [postfix-sasl] Found 193.169.255.130 - 2020-04-13 19:32:47 2020-04-14 21:31:32,546 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 21:31:32 2020-04-14 21:52:02,538 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 21:52:02 2020-04-14 21:52:06,285 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 21:52:06 2020-04-14 22:19:29,131 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:19:29 2020-04-14 22:19:33,318 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:19:33 2020-04-14 22:40:20,186 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:40:19 2020-04-14 22:40:24,111 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:40:24 2020-04-14 22:58:34,316 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 22:58:34 2020-04-14 22:58:38,260 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 22:58:38 2020-04-14 23:16:25,082 fail2ban.filter [1589]: INFO [dovecot] Found 185.234.218.246 - 2020-04-14 23:16:25 2020-04-14 23:16:28,227 fail2ban.filter [1589]: INFO [postfix-sasl] Found 185.234.218.246 - 2020-04-14 23:16:28 Postfix didnt find anything... My jail.local conf [longterm] port = ssh logpath = %(sshd_log)s banaction = iptables-multiport maxretry = 6 findtime = 259200 bantime = 31536000 enabled = true filter = sshd [dovecot] enabled = true port = pop3,pop3s,imap,imaps filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/maillog #findtime = 3600 #bantime = 7200 maxretry = 2 [ssh] enabled = true port = ssh filter = sshd action = iptables logpath = /var/log/audit/audit.log #findtime = 14400 #bantime = 7200 maxretry = 3 [postfix] enabled = true port = smtp filter = postfix action = iptables[name=postfix, port=smtp, protocol=tcp] logpath = /var/log/maillog #findtime = 3600 #bantime = 7200 maxretry = 2 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl action = iptables[name=postfix, port=smtp, protocol=tcp] logpath = /var/log/maillog #findtime = 3600 #bantime = 7200 maxretry = 2
What is not working as you expect? Have your read the documentation: https://www.fail2ban.org/wiki/index.php/Manual https://www.fail2ban.org/wiki/index.php/Main_Page
why are you expecting any of those in that bit of log to be banned? you have max retry of 2 for postfix, postfix-sasl, and dovecot, and findtime is disabled in those local jails, so we have to assume they're using the default findtime in /etc/fail2ban/jail.conf, which is 10 minutes. none of those ip's are making more than 2 attempts at the same jail in any 10 minute period, so there is no reason for the system to ban them. in fact, it's only the first 4 entries in that bit of logging that any attempt on the same jail occur within any 10 minute period. 2 to dovecot, and 2 to postfix-sasl.
Your [postfix] jail didn't match anything; check the regex's in the postfix filter.d file against the log entries they should match, it could be they need adjusted. More likely there were simply no such log entries during that time. As @nhybgtvfr indicates, there is probably nothing wrong, the behaviour matches the logs.
