View previous topic :: View next topic |
Author |
Message |
Philippe23 Tux's lil' helper
Joined: 20 Dec 2006 Posts: 130 Location: Central NY
|
Posted: Sat Mar 01, 2014 6:32 pm Post subject: fail2ban + iptables "already banned" |
|
|
Hey, I'm looking for suggestions of what I might have misconfigured. I get a fair amount of these from fail2ban: Quote: | Feb 28 12:15:01 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 49.48.2.132 already banned
Feb 28 12:50:50 localhost fail2ban.actions[4327]: INFO [sasl-iptables] 113.193.130.89 already banned
Feb 28 18:46:56 localhost fail2ban.actions[4327]: INFO [courier-iptables] 95.163.107.210 already banned | I get them for pretty much all of my jail rules. Here's my jail.local, minus the comments: Quote: | [DEFAULT]
ignoreip = 127.0.0.1
bantime = 28800
findtime = 600
maxretry = 10
backend = auto
[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=POSTFIX,port=smtp]
iptables[name=POSTFIX,port=submission]
iptables[name=POSTFIX,port=smtps]
sendmail-geoip[name=POSTFIX,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9
[sasl-iptables]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL,port=smtp]
iptables[name=POSTFIX-SASL,port=submission]
iptables[name=POSTFIX-SASL,port=smtps]
sendmail-geoip[name=POSTFIX-SASL,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9
[courier-iptables]
enabled = true
filter = courierlogin
action = iptables[name=COURIER,port=imap]
iptables[name=COURIER,port=imaps]
iptables[name=COURIER,port=pop3]
iptables[name=COURIER,port=pop3s]
sendmail-geoip[name=COURIER,dest=fail2ban@XXX.com]
logpath = /var/log/messages
maxretry = 9 | And my iptables INPUT chain: Quote: | Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-COURIER tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
dolts all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 169.254.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.16.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
... | Anybody see what I'm missing? |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Sat Mar 01, 2014 6:55 pm Post subject: |
|
|
your perception is what is off..... the ip is already banned, and they are attacking more, and fail2ban is trying to ban them again but they are already banned. |
|
Back to top |
|
|
Philippe23 Tux's lil' helper
Joined: 20 Dec 2006 Posts: 130 Location: Central NY
|
Posted: Sat Mar 01, 2014 7:19 pm Post subject: |
|
|
That sure makes it sound like something is wrong, since they shouldn't be able to try again ... they're banned. It appears the ban is not being very effective for some reason in my setup. |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Sat Mar 01, 2014 7:45 pm Post subject: |
|
|
mmmm this brings up the point that our fail2ban wiki article need sites to provide test attacks..... you fix it, im sick of fixing that thing... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Mar 01, 2014 8:40 pm Post subject: |
|
|
If you suspect something is wrong with your filter rules, then please show them. Use iptables-save -c. |
|
Back to top |
|
|
Philippe23 Tux's lil' helper
Joined: 20 Dec 2006 Posts: 130 Location: Central NY
|
Posted: Sun Mar 02, 2014 12:46 am Post subject: |
|
|
I think I figured it out. Since I had multiple iptables actions for each rule, but they all had the same name, but different ports. I think that was causing only the first (or last) being created. I switched to iptables-multiport instead. I'm going to see how that goes. |
|
Back to top |
|
|
Philippe23 Tux's lil' helper
Joined: 20 Dec 2006 Posts: 130 Location: Central NY
|
Posted: Fri Mar 21, 2014 12:14 pm Post subject: |
|
|
Yeah, that seemed to have fixed it. I haven't had an already banned message since I made the change 20+ days ago. |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
|
Back to top |
|
|
|