faI2ban detecting and banning but nothing happens

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I've followed one of the pages on line specifically for installing fail2ban on 
Centos 7 and all looks fine.

I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on 
another page:

       \[<HOST>\]: 535 Incorrect authentication data

which appears to be successfully matchnig lines in /var/log/exim/mail.log such 
as

2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) 
[185.222.209.71]: 535 Incorrect authentication data

/var/log/fail2ban.log, and the generarted emails all say that the regex is 
working and the IP addresses are getting banned.

2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 45.227.253.99
2019-04-19 13:06:32,607 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
45.227.253.99
2019-04-19 13:06:32,954 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 45.227.253.99
2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.222.209.71
2019-04-19 13:07:16,973 fail2ban.actions        [21954]: NOTICE  [dovecot] 
Unban 185.211.245.198
2019-04-19 13:07:42,108 fail2ban.actions        [21954]: NOTICE  [dovecot] 
Unban 185.234.217.221
2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 141.98.80.32
2019-04-19 13:08:11,299 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.234.217.162
2019-04-19 13:08:12,249 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
185.234.217.162
2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 141.98.80.32
2019-04-19 13:08:22,092 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.234.217.221
2019-04-19 13:09:18,178 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.211.245.198
2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.211.245.198
2019-04-19 13:09:30,752 fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 
185.211.245.198
2019-04-19 13:10:48,248 fail2ban.filter         [21954]: INFO    [dovecot] 
Found 185.211.245.198



However, once an IP address is banned, it continues to appear 
in /var/log/exim/main.log which would imply that the ban action is not 
working.

(Also, I don't understand why it's matching against dovecont ewhen the regex 
is in exim.conf)

I've found lots of pages relating to regex errors which this obviously isn't 
but I can't seem to find pages about why the ban doesn't work. Does anyone 
have any ideas?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux