LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-23-2016, 12:19 PM   #1
rs232
Member
 
Registered: Oct 2005
Posts: 51

Rep: Reputation: 0
fail2ban - why is it not blocking? Troubleshooting help needed


Hi all

I have been playing with fail2ban as I have a couple of attacks running pretty much constantly. The service I would liek to protect is smtp and smtps

So my Jail.conf looks like this:

Code:
# ASSP SMTP Proxy Jail
[assp]

enabled  = true
port     = smtp,465,submission
filter   = assp
logpath  = /usr/local/assp/logs/maillog.txt
maxretry = 3
findtime = 3600
bantime  = 10080
and the assp.conf under fail2ban.d is as follow:
Code:
# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
#
#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
#

[Definition]

__assp_actions = (?:dropping|refusing)

failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
                        ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
                        ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
                        <HOST> .*?authentication failed

ignoreregex =

# DEV Notes:
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de
When I check the regular expression it looks ok to me:

Code:
fail2ban-regex /usr/local/assp/logs/maillog.txt /etc/fail2ban/fail2ban.d/assp.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/fail2ban.d/assp.conf
Use         log file : /usr/local/assp/logs/maillog.txt
Use         encoding : UTF-8


Results
=======

Failregex: 313 total
|-  #) [# of hits] regular expression
|   4) [313] <HOST> .*?authentication failed
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1608] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 1609 lines, 0 ignored, 313 matched, 1296 missed [processed in 1.01 sec]
Missed line(s): too many to print.  Use --print-all-missed to print all 1296 lines
But I see no IP jailed:

Code:
fail2ban-client status assp
Status for the jail: assp
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /usr/local/assp/logs/maillog.txt
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
I can't figure out what's broken :-/

Anybody has any input on where to look next?

Thanks!
rs232
 
Old 06-23-2016, 12:33 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I suggest a default value of
Code:
findtime = 600
Did you restart f2b after making edits?
Possible to change /etc/fail2ban/fail2ban.conf (or even in your jail.conf?)
Code:
loglevel = 4
Restart and keep any eye on /var/log/fail2ban.log
for outstanding entries.

When was the last time this worked?
Is /etc/fail2ban/fail2ban.d/assp.conf the one that came installed?

If the manual run of
Code:
fail2ban-regex /usr/local/assp/logs/maillog.txt /etc/fail2ban/fail2ban.d/assp.conf
find hits (but makes you run switches to see them all?), when you restart fail2ban it should ban
everything it found within the last 600 seconds when you restart fail2ban.

I don't see a banaction statement?
Using [DEFAULT] then? what is it?

I'd copy jail.conf to jail.local else during an upgrade, all your precious work gets over-written.
Code:
cp /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.local
Same goes for custom filters and actions.

Let us know...

Last edited by Habitual; 06-23-2016 at 12:42 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] fail2ban regex help needed ! papampi Linux - Security 30 06-19-2012 10:29 AM
fail2ban best method of blocking brute force attempts? mrtwice Linux - Security 3 12-09-2008 11:52 AM
help needed troubleshooting slow connection wheeliee Slackware 4 11-13-2008 11:47 PM
fail2ban not blocking vsftp samnjugu Linux - Security 1 04-11-2007 03:35 AM
Server down, troubleshooting help needed longnshortofit Red Hat 4 03-19-2005 07:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration