Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

Fri, 21 Apr 2023 06:37:30 -0700 


-------- Original Message --------
*Subject: *  Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not
*From: *     James Moe Via Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2023-4-20  05:48 PM

On 2023-04-20 06:12, Wayne Sallee via Fail2ban-users wrote:


The fail2ban-regex showed all 8 lines matching, but the regular fail2ban jail 
[testing] showed no action, not even a
"found" response.


   There is no command "fail2ban jail ...".




Here is a test:

Fail2Ban v0.10.2


#*******


[testing]
enabled = true
port     = smtp,submission
logpath = /var/log/fail2ban-jail-testing.log
maxretry = 1
findtime  = 7776000
bantime = 86400
# Used for testing and or running against older logs

#******



#******
cat > /etc/fail2ban/filter.d/testing.conf << "EOF"
# Use this for testing different jail config settings without having to mess up 
other jail configs.

[Init]
badbots = rejected: not logged in|rejected due to: SPF|rejected: cannot find 
your hostname


[Definition]
failregex = postfix.+\[<HOST>\]:.+(<badbots>)


ignoreregex =


EOF



#******



echo "" > /var/log/fail2ban-jail-testing.log
fail2ban-client reload


#******

cat >> /var/log/fail2ban-jail-testing.log << "EOF"

Apr 17 00:13:04 server1 postfix/smtpd[5853]: NOQUEUE: reject: RCPT from unknown[112.66.247.192]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [112.66.247.192]; from=<luyfgy...@jdt.com> to=<i...@waynesallee.com> proto=ESMTP 
helo=<jdt.com>
Apr 17 08:38:43 server1 postfix/smtpd[16270]: NOQUEUE: reject: RCPT from unknown[201.231.6.140]: 550 5.7.23 
<aqainservidormail4...@gmx.net>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=aqainservidormail4...@gmx.net;ip=201.231.6.140;r=<UNKNOWN>; 
from=<aqainservidormail4...@gmx.net> to=<wa...@waynesallee.com> proto=ESMTP helo=<18-6-231-201.fibertel.com.ar>
Apr 16 03:01:25 server1 postfix/smtpd[7517]: NOQUEUE: reject: RCPT from unknown[192.3.195.171]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [192.3.195.171]; from=<jess...@funguselixirs.life> to=<wa...@waynespets.com> 
proto=ESMTP helo=<x86aw0.funguselixirs.life>
Apr 16 08:59:23 server1 postfix/smtpd[18038]: NOQUEUE: reject: RCPT from unknown[103.38.102.226]: 550 5.7.23 
<sa...@waynesallee.com>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=sa...@waynesallee.com;ip=103.38.102.226;r=<UNKNOWN>; from=<sa...@waynesallee.com> 
to=<sa...@waynesallee.com> proto=ESMTP helo=<ip-103.38.102.226.laxo.net.id>
Apr 16 09:00:34 server1 postfix/smtpd[18038]: NOQUEUE: reject: RCPT from unknown[103.38.102.226]: 550 5.7.23 
<sa...@waynesallee.com>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=sa...@waynesallee.com;ip=103.38.102.226;r=<UNKNOWN>; from=<sa...@waynesallee.com> 
to=<sa...@waynesallee.com> proto=ESMTP helo=<ip-103.38.102.226.laxo.net.id>
Apr 16 09:36:52 server1 postfix/smtpd[19475]: NOQUEUE: reject: RCPT from unknown[61.160.195.39]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [61.160.195.39]; from=<kbml...@gmail.com> to=<wayneacont...@waynesallee.com> 
proto=ESMTP helo=<mail.lshou.com>
Apr 16 11:00:07 server1 postfix/smtpd[25927]: NOQUEUE: reject: RCPT from unknown[190.232.178.104]: 553 5.7.1 
<wa...@waynesallee.com>: Sender address rejected: not logged in; from=<wa...@waynesallee.com> to=<wa...@waynesallee.com> 
proto=ESMTP helo=<[190.232.178.104]>
Apr 16 12:34:19 server1 postfix/smtpd[27334]: NOQUEUE: reject: RCPT from unknown[50.3.238.76]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [50.3.238.76]; from=<news@ketolife.click> to=<wa...@waynesallee.com> proto=ESMTP 
helo=<ketolife.click>

EOF

#******


#******
fail2ban-regex /var/log/fail2ban-jail-testing.log 
/etc/fail2ban/filter.d/testing.conf

Lines: 8 lines, 0 ignored, 8 matched, 0 missed


#*****
tail -F -n 100 /var/log/fail2ban.log

2023-04-19 11:13:58,417 fail2ban.server         [3824]: INFO Reload finished.

Never any log about [testing].  Fail2ban does not even report a find for 
[testing].

#*****



Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





























					Reply via email to