R
R
Ras2015-04-16 15:50:21
linux
Ras, 2015-04-16 15:50:21

Fail2ban detects access attempts but doesn't ban, why?

I configured fail2ban on the server (for the first time), the program detects login attempts, but does not ban the brute-forcer, what is not in my settings?
part of log:
2015-04-16 11:22:32,812 fail2ban.filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 11:30:42,402 fail2ban.filter [3474]: INFO [postfix -sasl] Found 80.82.70.167
2015-04-16 11:55:16,093 fail2ban.filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 12:00:52,503 fail2ban.filter [3474] : INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 12:04:33,780 fail2ban.filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 12:36:57,682 fail2ban. filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 12:46:07,291 fail2ban.filter [3474]: INFO [postfix-sasl] Found
80.82.70.167 Found 80.82.70.167
2015-04-16 13:19:29,574 fail2ban.filter [3474]: INFO [postfix-sasl
] postfix-sasl] Found 80.82.70.167
2015-04-16 13:58:12,995 fail2ban.filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 14:07:15,640 fail2ban.filter [3474 ]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 14:34:20,526 fail2ban.filter [3474]: INFO [postfix-sasl] Found 80.82.70.167
2015-04-16 14:40:29,958 fail2ban.filter [3474]: INFO [postfix-sasl] Found
80.82.70.167 Found 80.82.70.167
Settings file in jail.d :
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 60000
findtime = 1800
maxretry = 3
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps, pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry, 2015-04-24
@yoda_star

where is action ?
fail2ban probably just doesn't know what to do, it should be something like:
action = iptables[name=postfix, port=smtp, protocol=tcp]

A
Alexander Slyzhuk, 2015-04-24
@SLYzhuk

bantime = 60000 - how many seconds to ban (here 1000 minutes or 16h 40 min, in my opinion it's too much, you won't run into your own ban?) findtime
= 1800 - number of connections (here 30 minutes)
maxretry = 3 number of errors
me in the config:
bantime = 14400
findtime = 600
maxretry = 3

In principle, by default, all settings are correct, only you edit these parameters and restart the service:
View work: sudo fail2ban-client status ssh
It looks like this now (the Chinese are attacking ):
Status for the jail: ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 2
| `- Total failed: 14628
`- action
|- Currently banned: 7
| `- IP list: 222.186.56.101 59.29.245.226 221.229.166.27 62.193.242.207 61.160.212.27 87.106.129.233 62.210.6.254
`- Total banned: 3791

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question