[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: [Fail2ban-users] issues running fail2ban on freebsd 10.0
From: comercial () dsgx ! com ! br
Date: 2015-04-15 20:31:52
Message-ID: 6f8f2ba01237c4dd0b8e399d1240065f () dsgx ! com ! br
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Heya,
Recently my fail2ban stopped working for some reason. It's
not adding any ip to the firewall(ipfw)
when i test the regex with the
logfile it gives me the failed attempts.
-----------------------
#
ipfw show
and executing the ipfw correctly i guess so cause everytime i
init it he creates this entry.
00001 0 0 unreach port ip from table(1)
to me
I ALSO CHECKED THE REGEX AGAINST MY MAILLOG
fail2ban-regex
/var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-sasl.conf
RUNNING TESTS
Use failregex file :
/usr/local/etc/fail2ban/filter.d/postfix-sasl.conf
Use log file :
/var/log/maillog
Use encoding : US-ASCII
RESULTS
Failregex: 178
total
> - #) [# of hits] regular expression
> 1) [178]
^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ _d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_warning: [-._w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed(: [ A-Za-z0-9+/]_={0,2})?s_$
`-
Ignoreregex: 0
total
Date template hits:
> - [# of hits] date format
> 186018?MON Day
24hour:Minute:Second(?:.Microseconds)?(?: Year)?
`-
Lines: 186018
lines, 0 ignored, 178 matched, 185840 missed [processed in 22.96
sec]
Missed line(s): too many to print. Use --print-all-missed to print
all 185840 lines
-------------------------
FAIL2BAN-CLIENT -D
['set',
'logtarget', '/var/log/fail2ban.log']
['set', 'loglevel',
'INFO']
['set', 'dbpurgeage', 86400]
['set', 'dbfile',
'/var/db/fail2ban/fail2ban.sqlite3']
['add', 'sasl-auth-failures',
'auto']
['set', 'sasl-auth-failures', 'usedns', 'warn']
['set',
'sasl-auth-failures', 'addlogpath', '/var/log/maillog', 'head']
['set',
'sasl-auth-failures', 'maxretry', 5]
['set', 'sasl-auth-failures',
'addignoreip', '127.0.0.1/8']
['set', 'sasl-auth-failures',
'logencoding', 'utf-8']
['set', 'sasl-auth-failures', 'bantime',
3600]
['set', 'sasl-auth-failures', 'ignorecommand', '']
['set',
'sasl-auth-failures', 'findtime', 600]
['set', 'sasl-auth-failures',
'addfailregex', '^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ _d+.d+]
)?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_warning: [-._w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed(: [ A-Za-z0-9+/]={0,2})?s_$']
['set',
'sasl-auth-failures', 'addjournalmatch',
'_SYSTEMD_UNIT=postfix.service']
['set', 'sasl-auth-failures',
'addaction', 'bsd-ipfw']
['set', 'sasl-auth-failures', 'action',
'bsd-ipfw', 'actionban', 'ipfw table
add ']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f ] || (
read num < ""
ipfw -q delete $num
rm "" )']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show |
fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b)
{ b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }';
num=$?; ipfw -q add $num from table() to me ; echo $num > "" )']
['set',
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionunban', 'ipfw
tabledelete ']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'actioncheck', '']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'table', '1']
['set', 'sasl-auth-failures', 'action', 'bsd-ipfw',
'blocktype', 'unreach port']
['set', 'sasl-auth-failures', 'action',
'bsd-ipfw', 'startstatefile',
'/var/run/fail2ban/ipfw-started-table_']
['set', 'sasl-auth-failures',
'action', 'bsd-ipfw', 'port', '']
['set', 'sasl-auth-failures',
'action', 'bsd-ipfw', 'block', 'ip']
['add', 'postfix-rejected',
'auto']
['set', 'postfix-rejected', 'usedns', 'warn']
['set',
'postfix-rejected', 'addlogpath', '/var/log/maillog', 'head']
['set',
'postfix-rejected', 'maxretry', 8]
['set', 'postfix-rejected',
'addignoreip', '127.0.0.1/8']
['set', 'postfix-rejected', 'logencoding',
'utf-8']
['set', 'postfix-rejected', 'bantime', 3600]
['set',
'postfix-rejected', 'ignorecommand', '']
['set', 'postfix-rejected',
'findtime', 600]
['set', 'postfix-rejected', 'addfailregex',
'^s_(<[^.]+.[^.]+>)?s_(?:S+ )?(?:kernel: [ *d+.d+] )?(?:@vserverS+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: RCPT from S+[]: 554 5.7.1 ._$']
['set',
'postfix-rejected', 'addfailregex', '^s_(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ _d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: RCPT from S+[]: 450 4.7.1 : Helo command
rejected: Host not found; from=<> to=<> proto=ESMTP helo= $']
['set',
'postfix-rejected', 'addfailregex', '^s(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ *d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_NOQUEUE: reject: VRFY from S+[]: 550 5.1.1 .$']
['set',
'postfix-rejected', 'addfailregex', '^s(<[^.]+.[^.]+>)?s_(?:S+
)?(?:kernel: [ *d+.d+] )?(?:@vserver_S+
)?(?:(?:[d+])?:s+[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(S+))?[])]?:?(?:[d+])?:?)?s(?:[ID
d+ S+])?s_improper command pipelining after S+ from
[^[]*[]:?$']
['set', 'postfix-rejected', 'addjournalmatch',
'_SYSTEMD_UNIT=postfix.service']
['set', 'postfix-rejected',
'addaction', 'bsd-ipfw']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionban', 'ipfw tableadd ']
['set', 'postfix-rejected',
'action', 'bsd-ipfw', 'actionstop', '[ ! -f ] || ( read num < ""
ipfw
-q delete $num
rm "" )']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionstart', 'ipfw show | fgrep -q 'table()' || ( ipfw
show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b }
} END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from
table() to me ; echo $num > "" )']
['set', 'postfix-rejected', 'action',
'bsd-ipfw', 'actionunban', 'ipfw tabledelete ']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'actioncheck', '']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'table', '1']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'blocktype', 'unreach
port']
['set', 'postfix-rejected', 'action', 'bsd-ipfw',
'startstatefile', '/var/run/fail2ban/ipfw-started-table_']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'port', '']
['set',
'postfix-rejected', 'action', 'bsd-ipfw', 'block', 'ip']
['start',
'sasl-auth-failures']
['start', 'postfix-rejected']
Any help will be
appreciated ,
[Attachment #5 (unknown)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body>
<p>Heya,</p>
<p> </p>
<p>Recently my fail2ban stopped working for some reason. It's not adding any ip to \
the firewall(ipfw)</p> <p> </p>
<p>when i test the regex with the logfile it gives me the failed attempts.</p>
<p>-----------------------</p>
<p># ipfw show<br />and executing the ipfw correctly i guess so cause everytime i \
init it he creates this entry.</p> <p>00001 0 0 unreach port ip from table(1) to \
me</p> <h2>I also checked the regex against my maillog</h2>
<p>fail2ban-regex /var/log/maillog \
/usr/local/etc/fail2ban/filter.d/postfix-sasl.conf</p> <h1>Running tests</h1>
<p>Use failregex file : /usr/local/etc/fail2ban/filter.d/postfix-sasl.conf<br />Use \
log file : /var/log/maillog<br />Use encoding : US-ASCII</p> <h1>Results</h1>
<p>Failregex: 178 total<br />|- #) [# of hits] regular expression<br />| 1) [178] \
^\s<em>(<[^.]+.[^.]+>)?\s</em>(?:\S+ )?(?:kernel: [ <em>\d+.\d+] \
)?(?:@vserver_\S+ )?(?:(?:[\d+])?:\s+[[(]?postfix/(submission/)?smtp(d|s)(?:(\S+))?[])]?:?|[[(]?postfix/(submission/)?smtp(d|s)(?:(\S+))?[])]?:?(?:[\d+])?:?)?\s(?:[ID \
\d+ \S+])?\s</em>warning: [-._\w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) \
authentication failed(: [ A-Za-z0-9+/]<em>={0,2})?\s</em>$<br />`-</p> \
<p>Ignoreregex: 0 total</p> <p>Date template hits:<br />|- [# of hits] date format<br \
/>| 186018?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?<br />`-</p> \
<p>Lines: 186018 lines, 0 ignored, 178 matched, 185840 missed [processed in 22.96 \
sec]<br />Missed line(s): too many to print. Use --print-all-missed to print all \
185840 lines</p> <hr />
<h1>fail2ban-client -d</h1>
<p>['set', 'logtarget', '/var/log/fail2ban.log']<br />['set', 'loglevel', 'INFO']<br \
/>['set', 'dbpurgeage', 86400]<br />['set', 'dbfile', \
'/var/db/fail2ban/fail2ban.sqlite3']<br />['add', 'sasl-auth-failures', 'auto']<br \
/>['set', 'sasl-auth-failures', 'usedns', 'warn']<br />['set', 'sasl-auth-failures', \
'addlogpath', '/var/log/maillog', 'head']<br />['set', 'sasl-auth-failures', \
'maxretry', 5]<br />['set', 'sasl-auth-failures', 'addignoreip', '127.0.0.1/8']<br \
/>['set', 'sasl-auth-failures', 'logencoding', 'utf-8']<br />['set', \
'sasl-auth-failures', 'bantime', 3600]<br />['set', 'sasl-auth-failures', \
'ignorecommand', '']<br />['set', 'sasl-auth-failures', 'findtime', 600]<br />['set', \
'sasl-auth-failures', 'addfailregex', '^\s<em>(<[^.]+\.[^.]+>)?\s</em>(?:\S+ \
)?(?:kernel: \[ <em>\d+\.\d+\] )?(?:@vserver_\S+ \
)?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \
\d+ \S+\])?\s</em>warning: [-.<em>\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) \
authentication failed(: [ A-Za-z0-9+/]<em>={0,2})?\s</em>$']<br />['set', \
'sasl-auth-failures', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service']<br \
/>['set', 'sasl-auth-failures', 'addaction', 'bsd-ipfw']<br />['set', \
'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionban', 'ipfw table</em></p> \
<p><em>add ']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstop', \
'[ ! -f ] || ( read num < "" <br />ipfw -q delete $num <br />rm "" \
)']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionstart', 'ipfw \
show | fgrep -q \'table(</em><em>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 \
<= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br />else exit b \
}\'; num=$?; ipfw -q add $num from table\(</em><em>\) to me ; echo $num > "" \
)']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'actionunban', 'ipfw \
table</em><em>delete ']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', \
'actioncheck', '']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'table', \
'1']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'blocktype', 'unreach \
port']<br />['set', 'sasl-auth-failures', 'action', 'bsd-ipfw', 'startstatefile', \
'/var/run/fail2ban/ipfw-started-table_</em><em>']<br />['set', 'sasl-auth-failures', \
'action', 'bsd-ipfw', 'port', '']<br />['set', 'sasl-auth-failures', 'action', \
'bsd-ipfw', 'block', 'ip']<br />['add', 'postfix-rejected', 'auto']<br />['set', \
'postfix-rejected', 'usedns', 'warn']<br />['set', 'postfix-rejected', 'addlogpath', \
'/var/log/maillog', 'head']<br />['set', 'postfix-rejected', 'maxretry', 8]<br \
/>['set', 'postfix-rejected', 'addignoreip', '127.0.0.1/8']<br />['set', \
'postfix-rejected', 'logencoding', 'utf-8']<br />['set', 'postfix-rejected', \
'bantime', 3600]<br />['set', 'postfix-rejected', 'ignorecommand', '']<br />['set', \
'postfix-rejected', 'findtime', 600]<br />['set', 'postfix-rejected', 'addfailregex', \
'^\s<em>(<[^.]+\.[^.]+>)?\s</em>(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] \
)?(?:@vserver\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\) \
)?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \
\d+ \S+\])?\s<em>NOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .</em>$']<br \
/>['set', 'postfix-rejected', 'addfailregex', \
'^\s<em>(<[^.]+\.[^.]+>)?\s</em>(?:\S+ )?(?:kernel: \[ <em>\d+\.\d+\] \
)?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\ \
))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \
\d+ \S+\])?\s</em>NOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command \
rejected: Host not found; from=<> to=<> proto=ESMTP helo= <em>$']<br \
/>['set', 'postfix-rejected', 'addfailregex', \
'^\s</em>(<[^.]+\.[^.]+>)?\s<em>(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] \
)?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\ \
))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \
\d+ \S+\])?\s</em>NOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .<em>$']<br \
/>['set', 'postfix-rejected', 'addfailregex', \
'^\s</em>(<[^.]+\.[^.]+>)?\s<em>(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] \
)?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\ \
))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \
\d+ \S+\])?\s</em>improper command pipelining after \S+ from [^[]*\[\]:?$']<br \
/>['set', 'postfix-rejected', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service']<br \
/>['set', 'postfix-rejected', 'addaction', 'bsd-ipfw']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'actionban', 'ipfw table</em><em>add ']<br \
/>['set', 'postfix-rejected', 'action', 'bsd-ipfw', 'actionstop', '[ ! -f ] || ( read \
num < "" <br />ipfw -q delete $num <br />rm "" )']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'actionstart', 'ipfw show | fgrep -q \
\'table(</em><em>)\' || ( ipfw show | awk \'BEGIN { b = 1 } { if ($1 <= b) { b = \
$1 + 1 } else { e = b } } END { if (e) exit e <br />else exit b }\'; num=$?; \
ipfw -q add $num from table\(</em><em>\) to me ; echo $num > "" )']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'actionunban', 'ipfw table</em><em>delete \
']<br />['set', 'postfix-rejected', 'action', 'bsd-ipfw', 'actioncheck', '']<br \
/>['set', 'postfix-rejected', 'action', 'bsd-ipfw', 'table', '1']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'blocktype', 'unreach port']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'startstatefile', \
'/var/run/fail2ban/ipfw-started-table_</em><em><em>']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'port', '']<br />['set', \
'postfix-rejected', 'action', 'bsd-ipfw', 'block', 'ip']<br />['start', \
'sasl-auth-failures']<br />['start', 'postfix-rejected']</em></em></p> <p>Any help \
will be appreciated ,</p> <div> </div>
</body></html>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic