Hi Bill, thanks a lot for the hint.
I didn't mean to, but indeed it is 600 for postfix-sasl as opposing to sshd which is 172800 For sshd it matches the 2d bantime configured. [sshd] enabled = true port = ssh bantime = 2d findtime = 8h #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 but for postfix I have set a bantime of 4w ==> 02-sasl.conf <== [postfix-sasl] enabled = true port = smtp,465,submission,imap,imaps,pop3,pop3s bantime = 4w findtime = 1d action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 But the 600secs is coming from action.d/firewallcmd-ipset.conf.. Tested it out configuring it directly in action.d/firewallcmd-ipset.conf And it works properly, but it is ignoring anything I put in the file /etc/fail2ban/jail.d/02-sasl.conf Every 2.0s: ipset -L f2b-postfix-sasl Tue Jul 28 14:46:11 2020 Name: f2b-postfix-sasl Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 172800 Size in memory: 1752 References: 1 Number of entries: 18 Members: 185.234.219.14 timeout 172789 185.234.218.83 timeout 172789 185.234.219.13 timeout 172789 185.234.216.66 timeout 172789 185.234.219.228 timeout 172789 185.234.216.64 timeout 172789 185.234.218.82 timeout 172789 175.139.194.125 timeout 172789 185.234.219.226 timeout 172789 185.234.219.11 timeout 172789 103.133.105.65 timeout 172788 212.70.149.35 timeout 172789 185.234.218.84 timeout 172789 185.234.219.229 timeout 172789 From: Bill Shirley <bshir...@openmri-scottsboro.com> Sent: Tuesday, July 28, 2020 7:10 AM To: fail2ban-users@lists.sourceforge.net Subject: Re: [Fail2ban-users] postfix-sasl lossing banned ips Centos 8 / firewalld / systemd Did you mean to set the timeout on f2b-postfix-sasl to ten minutes (600)? These will count down and fall off the list without fail2ban knowing. You should see the countdown with: watch ipset -L f2b-postfix-sasl Bill On 7/27/2020 9:06 PM, registrati...@itconqueror.com <mailto:registrati...@itconqueror.com> wrote: Hello List, thanks in advance for any help you can provide.. I hope you can help me with this. Fresh Centos 8 installed with fail2ban + firewalld/system Everything installed from rpm I have installed and configured 2 jails, sshd and postfix-sasl, Firewalld is running and getting the list of ban ips from fail2ban ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 1:65535 -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable both jail are detecting and banning ips.. as you can see in the output 64 and 787 ips banned on respectively Status for the jail: postfix-sasl |- Filter | |- Currently failed: 15 | |- Total failed: 2979 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 64 |- Total banned: 64 `- Banned IP list: 46.38.150.37 185.143.73.134 185.143.73.203 46.38.145.253 46.38.145.252 ... [output cut] [root@vps01 ~]# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 68 | |- Total failed: 787 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 359 |- Total banned: 380 `- Banned IP list: 128.199.142.0 119.29.56.139 210.126.5.91 190.143.39.211 107.159.22.18 181.166.87.8 85.172.11.101 ..[output cut] However the problem is that firewalld after a couple of minutes loosses the list of ips from fail2ban and it stops blocking and actually no longer bocks any new ip added to the jail As you can see here from command output postfix-sasl has 0 entries, If I [root@vps01 ~]# ipset list Name: f2b-postfix-sasl Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 600 Size in memory: 6168 References: 1 Number of entries: 0 Members: Name: f2b-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 172800 Size in memory: 29688 References: 1 Number of entries: 362 Members: 188.166.164.10 timeout 161635 41.111.135.199 timeout 161638 .. [output cut] 62.94.206.57 timeout 161639 49.232.162.53 timeout 172712 If fail2ban is restarted, postfix-sasl gets its members and effectively blocks connections, but after a couple of minutes it goes back to 0 entries and stops protecting. [root@vps01 ~]# ipset list|grep -v timeout Name: f2b-sshd Type: hash:ip Revision: 4 Size in memory: 29208 References: 1 Number of entries: 361 Members: Name: f2b-postfix-sasl Type: hash:ip Revision: 4 Size in memory: 6264 References: 1 Number of entries: 64 Members: -- running versions - cyrus-sasl-2.1.26-23.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 cyrus-sasl-lib-2.1.26-23.el7.x86_64 cyrus-sasl-md5-2.1.26-23.el7.x86_64 cyrus-sasl-plain-2.1.26-23.el7.x86_64 fail2ban-0.10.5-2.el7.noarch fail2ban-firewalld-0.10.5-2.el7.noarch fail2ban-sendmail-0.10.5-2.el7.noarch fail2ban-server-0.10.5-2.el7.noarch fail2ban-systemd-0.10.5-2.el7.noarch postfix-2.10.1-9.el7.x86_64 -- _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net <mailto:Fail2ban-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
