If it is anything like I found on ClearOS 7.x (similar to Centos 7.x), I
had problems with the iptables-ipset-proto6-allports action but not the
iptables-ipset-proto6 action and the only way to specify the bantime,
overriding the default one in the action was to use a jail with:
action = iptables-ipset-proto6-allports[name=sshd,bantime=86400]
Your symptoms are slightly different but the solution may be the same.
Nick
On 28/07/2020 19:54, registrati...@itconqueror.com wrote:
Hi Bill, thanks a lot for the hint…
I didn’t mean to, but indeed it is 600 for postfix-sasl as opposing to
sshd which is 172800
For sshd it matches the 2d bantime configured…
[sshd]
enabled = true
port = ssh
bantime = 2d
findtime = 8h
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
but for postfix I have set a bantime of 4w
==> 02-sasl.conf <==
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 4w
findtime = 1d
action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
But the 600secs is coming from action.d/firewallcmd-ipset.conf..
Tested it out configuring it directly in
action.d/firewallcmd-ipset.conf And it works properly, but it is
ignoring anything I put in the file /etc/fail2ban/jail.d/02-sasl.conf
Every 2.0s: ipset -L f2b-postfix-sasl Tue Jul 28 14:46:11 2020
Name: f2b-postfix-sasl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 172800
Size in memory: 1752
References: 1
Number of entries: 18
Members:
185.234.219.14 timeout 172789
185.234.218.83 timeout 172789
185.234.219.13 timeout 172789
185.234.216.66 timeout 172789
185.234.219.228 timeout 172789
185.234.216.64 timeout 172789
185.234.218.82 timeout 172789
175.139.194.125 timeout 172789
185.234.219.226 timeout 172789
185.234.219.11 timeout 172789
103.133.105.65 timeout 172788
212.70.149.35 timeout 172789
185.234.218.84 timeout 172789
185.234.219.229 timeout 172789
*From:*Bill Shirley <bshir...@openmri-scottsboro.com>
*Sent:* Tuesday, July 28, 2020 7:10 AM
*To:* fail2ban-users@lists.sourceforge.net
*Subject:* Re: [Fail2ban-users] postfix-sasl lossing banned ips Centos
8 / firewalld / systemd
Did you mean to set the timeout on f2b-postfix-sasl to ten minutes
(600)? These
will count down and fall off the list without fail2ban knowing. You
should see the
countdown with:
watch ipset -L f2b-postfix-sasl
Bill
On 7/27/2020 9:06 PM, registrati...@itconqueror.com
<mailto:registrati...@itconqueror.com> wrote:
Hello List, thanks in advance for any help you can provide….
I hope you can help me with this…
Fresh Centos 8 installed with fail2ban + firewalld/system
Everything installed from rpm
I have installed and configured 2 jails, sshd and postfix-sasl,
Firewalld is running and getting the list of ban ips from fail2ban
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 1:65535 -m
set --match-set f2b-postfix-sasl src -j REJECT --reject-with
icmp-port-unreachable
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set
--match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
both jail are detecting and banning ips.. as you can see in the
output 64 and 787 ips banned on respectively
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 15
| |- Total failed: 2979
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 64
|- Total banned: 64
`- Banned IP list: 46.38.150.37 185.143.73.134 185.143.73.203
46.38.145.253 46.38.145.252 ….. [output cut]
[root@vps01 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 68
| |- Total failed: 787
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 359
|- Total banned: 380
`- Banned IP list: 128.199.142.0 119.29.56.139 210.126.5.91
190.143.39.211 107.159.22.18 181.166.87.8 85.172.11.101 ….[output cut]
However the problem is that firewalld after a couple of minutes
loosses the list of ips from fail2ban and it stops blocking and
actually no longer bocks any new ip added to the jail
As you can see here from command output postfix-sasl has 0
entries, If I
[root@vps01 ~]# ipset list
Name: f2b-postfix-sasl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 6168
References: 1
Number of entries: 0
Members:
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 172800
Size in memory: 29688
References: 1
Number of entries: 362
Members:
188.166.164.10 timeout 161635
41.111.135.199 timeout 161638
…. [output cut]
62.94.206.57 timeout 161639
49.232.162.53 timeout 172712
If fail2ban is restarted, postfix-sasl gets its members and
effectively blocks connections, but after a couple of minutes it
goes back to 0 entries and stops protecting…
[root@vps01 ~]# ipset list|grep -v timeout
Name: f2b-sshd
Type: hash:ip
Revision: 4
Size in memory: 29208
References: 1
Number of entries: 361
Members:
Name: f2b-postfix-sasl
Type: hash:ip
Revision: 4
Size in memory: 6264
References: 1
Number of entries: 64
Members:
-- running versions –
cyrus-sasl-2.1.26-23.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64
cyrus-sasl-md5-2.1.26-23.el7.x86_64
cyrus-sasl-plain-2.1.26-23.el7.x86_64
fail2ban-0.10.5-2.el7.noarch
fail2ban-firewalld-0.10.5-2.el7.noarch
fail2ban-sendmail-0.10.5-2.el7.noarch
fail2ban-server-0.10.5-2.el7.noarch
fail2ban-systemd-0.10.5-2.el7.noarch
postfix-2.10.1-9.el7.x86_64
--
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
