Re: fail2ban ban not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tuesday 07 April 2020 10:09:07 Marius ROMAN wrote:
> "ipset v7.1: Syntax error: '3600000' is out of range 0-2147483"
> This is the problem. You could try to reduce the 'ban' time (for whatever rules you have for dovecot) so that it would be in that interval and restart fail2ban service.
> 

Thanks to the help from Marius I no longer get the error and fail2ban appears to be working. I am still having troubhles with my firewall.

I have a command firewall_ban which is:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='$1' reject "


I copied this from a web posting, and I it is supposed to do what I need, which is ban specific IP addresses.

However, when I tried to ban an IP I grabbed from my EXIM logs I got an error

[root@ollie2 ~]# firewall_ban 46.17.96.82
Warning: ALREADY_ENABLED: rule family='ipv4' source address='46.17.96.82' reject 
success
[root@ollie2 ~]#

I was not surprised by this error as I did think that I had already banned this address. However, this does now beg the question, why am I still seeing in my exim/main.log:

2020-04-08 13:34:41 H=(slot0.iso-taem.com) [46.17.96.82] sender verify defer for <administrator@xxxxxxxxxxxx>: host lookup did not complete
2020-04-08 13:34:41 H=(slot0.iso-taem.com) [46.17.96.82] F=<administrator@xxxxxxxxxxxx> temporarily rejected RCPT <auser@xxxxxxxxxxxxxx>: Could not complete sender verify


Also, I am trying to add a failregex to match the following lines, but for some reason my attempts don't work.

2020-04-08 13:34:42 H=ip3.ip-144-217-187.net (swNLFAhhb9) [144.217.187.3] rejected EHLO or HELO swnlfahhb9: Your server with the IP 144.217.187.3 is with helo name (swNLFAhhb9) configured incorrectly. Email has been blocked. (HELO Error)

My best attemp is this one, and when I try it with fail2ban-regex it matches every time, but in real life, it doesn't trigger banning anyone

 ^%(pid)s.* \[<HOST>\] rejected EHLO or HELO 

They appear to match is I run fail2ban-regex but in real life, they're not triggering bans.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux