Fail2ban not finding IP on which to act

by Greta   Last Updated April 15, 2019 11:00 AM - source

I have two jails running. apache-test is a test one I made because postfix-auth wasn't working. apache-test works with no issue.

Fail2Ban v0.9.6

Raspbian GNU/Linux 9 (stretch)

/var/log/fail2ban.log

2019-04-15 19:11:19,577 fail2ban.jail           [21238]: INFO    Creating new jail 'postfix-auth'
2019-04-15 19:11:19,762 fail2ban.jail           [21238]: INFO    Jail 'postfix-auth' uses pyinotify {}
2019-04-15 19:11:20,238 fail2ban.jail           [21238]: INFO    Initiated 'pyinotify' backend
2019-04-15 19:11:20,260 fail2ban.filter         [21238]: INFO    Added logfile = /var/log/mail.log
2019-04-15 19:11:20,281 fail2ban.actions        [21238]: INFO    Set banTime = 4800
2019-04-15 19:11:20,288 fail2ban.filter         [21238]: INFO    Set jail log file encoding to UTF-8
2019-04-15 19:11:20,294 fail2ban.filter         [21238]: INFO    Set findtime = 1200
2019-04-15 19:11:20,301 fail2ban.filter         [21238]: INFO    Set maxRetry = 3
2019-04-15 19:11:20,498 fail2ban.jail           [21238]: INFO    Creating new jail 'apache-test'
2019-04-15 19:11:20,501 fail2ban.jail           [21238]: INFO    Jail 'apache-test' uses pyinotify {}
2019-04-15 19:11:20,562 fail2ban.jail           [21238]: INFO    Initiated 'pyinotify' backend
2019-04-15 19:11:20,581 fail2ban.filter         [21238]: INFO    Added logfile = /var/log/apache2/<redacted>.port443.access.log
2019-04-15 19:11:20,602 fail2ban.actions        [21238]: INFO    Set banTime = 60
2019-04-15 19:11:20,608 fail2ban.filter         [21238]: INFO    Set jail log file encoding to UTF-8
2019-04-15 19:11:20,615 fail2ban.filter         [21238]: INFO    Set findtime = 20
2019-04-15 19:11:20,621 fail2ban.filter         [21238]: INFO    Set maxRetry = 5
2019-04-15 19:11:20,830 fail2ban.jail           [21238]: INFO    Jail 'postfix-auth' started
2019-04-15 19:11:20,889 fail2ban.jail           [21238]: INFO    Jail 'apache-test' started
2019-04-15 19:23:50,329 fail2ban.filter         [21238]: INFO    [apache-test] Found <IP REDACTED>

Here, IP REDACTED is my VPN IP, with which I was accessing my website to test [apache-test].

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-auth.conf

Running tests                                                                                                                        
=============                                                                                                                        

Use   failregex filter file : postfix-auth, basedir: /etc/fail2ban                                                                   
Use         log file : /var/log/mail.log                                                                                             
Use         encoding : UTF-8                                                                                                         


Results                                                                                                                              
=======                                                                                                                              

Failregex: 129 total                                                                                                                 
|-  #) [# of hits] regular expression                                                                                                
|   1) [129] lost connection after AUTH from (.*)\[<HOST>\]$                                                                         
`-                                                                                                                                   

Ignoreregex: 0 total                                                                                                                 

Date template hits:                                                                                                                  
|- [# of hits] date format                                                                                                           
|  [1038] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?                                                         
`-                                                                                                                                   

Lines: 1038 lines, 0 ignored, 129 matched, 909 missed
[processed in 2.47 sec]

/etc/fail2ban/filter.d/postfix-auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]$
ignoreregex =

/etc/fail2ban/jail.local

[postfix-auth]
# Ban for 80 minutes if it fails 3 times within 20 minutes
enabled = true
port = 143,587,25
filter = postfix-auth
logpath = /var/log/mail.log
maxretry = 3
bantime = 4800
findtime = 1200
action = %(action_mw)s

[apache-test]
enabled = true
port = 443
filter = apache-test
logpath = /var/log/apache2/<redacted>.port443.access.log
maxretry = 5
bantime = 60
findtime = 20
action = %(action_mw)s

/var/log/mail.log

Apr 15 11:20:06 <hostname> postfix/smtpd[22886]: connect from unknown[<IP redacted>]
Apr 15 11:20:07 <hostname> postfix/smtpd[22886]: lost connection after AUTH from unknown[<IP redacted>]
Apr 15 11:20:08 <hostname> postfix/smtpd[22886]: disconnect from unknown[<IP redacted>] ehlo=1 auth=0/1 commands=1/2

Here, IP redacted is the spammer who is trying to AUTH.

Of the [postfix-auth] would-be hits in the mail.log file, none are being recognised by fail2ban.

At first I thought it was a port issue, so I added ALL open ports to [postfix-auth] config, but still had same issue.



Related Questions


How to detect SMTP AUTH attempts in Fail2Ban?

Updated July 11, 2017 03:00 AM

Postfix & Fail2Ban Services

Updated December 13, 2015 17:00 PM

postfix not accepting mails from few domains

Updated December 13, 2017 17:00 PM

Add postfix fail2ban filter for incorrect auth

Updated January 08, 2019 19:00 PM