[Fail2ban-users] FYI: timing problem on my Centos 6.10 64bit SMP

2020-06-06 Thread Peter Heirich
Hi, since a long time i've used a patched 0.10.0 because of IPv6. However, i've just updated to current 0.11.2_dev from git on a Centos 6.10 (final), also current. Like the old 0.10.0 one it doesn't work well because of a timing problem, i think. Does a quick and dirty patch, i've appended. See p

Re: [Fail2ban-users] recidive jail set, but IP still gets in

2020-07-01 Thread Peter Heirich
try command sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "SELECT * FROM bans WHERE jail='recidive';" to see if ip in database [root@genf132:4 log]0# sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "SELECT * FROM bans WHERE jail='recidive';" should give answer like recidive|103.125.191.52|1593474438

Re: [Fail2ban-users] recidive jail set, but IP still gets in

2020-07-01 Thread Peter Heirich
Am 01.07.2020 um 16:53 schrieb Yassine Chaouche: > > From: Peter Heirich - 2020-07-01 14:22:19 > >> try command >> >> sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "SELECT * FROM bans WHERE >> jail='recidive';" > > I don't have that fi

Re: [Fail2ban-users] recidive jail set, but IP still gets in

2020-07-07 Thread Peter Heirich
Am 07.07.2020 um 13:32 schrieb Yassine Chaouche: > > Let us examine what f2b logs for 185.143.72.27 say : > > 1. Is is banned/unbanned by *postfix-sasl* 4 times > > 2. on the fifth occurence, it is first banned by the *postfix-sasl* > jail then by the *recidive* jail. Curiously, the *recidive* jai

Re: [Fail2ban-users] recidive jail set, but IP still gets in

2020-07-07 Thread Peter Heirich
c6:9a:67:d6:81:08:00:45:00:00:64:e7:d6:40:00:f8:29:da:74:d8:42:54:2a:d9: # TUNNEL=216.66.84.42->217.172.186.11 SRC=2001:0470:702b::f741:3955:6972:6290 DST=2001:0470:1f13:107e:::1001:1001 LEN=80 # TC=0 HOPLIMIT=249 FLOWLBL=672608 PROTO=TCP SPT=39018 DPT=23 WINDOW=28240 RES=0x00 SYN U

Re: [Fail2ban-users] Actual ban duration?

2020-07-30 Thread Peter Heirich
Am 30.07.2020 um 21:08 schrieb Peter Heirich: > > > Am 30.07.2020 um 19:01 schrieb david: >> >> Second, I'm trying to build a report for my own use, which would show >> the current bans.  Ideally, each line of the report contains: >>  - IP address tha

Re: [Fail2ban-users] Actual ban duration?

2020-07-30 Thread Peter Heirich
Am 30.07.2020 um 21:22 schrieb Gary Gapinski via Fail2ban-users: > > I am uncertain whether such table entries are removed when a ban expires. No, they don't. > Why is journalctl scanning necessary? > He probably tries to find out which ones are valid. Better way for me was to ask fail2ban-cl

[Fail2ban-users] list works wrong - DKIM signatures are failing

2021-04-14 Thread Peter Heirich
Hi, because of fighting spam i modified DMARC policy to report failing mails. It isn't not only my system which claims wrong DKIM signatures, got reports about same errors from 3 other systems because of DMARC report policy. Authentication-Results: austria136.server4you.de (amavisd-new);

Re: [Fail2ban-users] possible to create jails from HHTP statuscodes

2021-04-17 Thread Peter Heirich
Of course, could be possible, but is a bad idea, i think. Lets take a look on a access line. [17/Apr/2021:16:50:41 +0200] [myserver.server4you.de:80] [client 40.121.52.49] - - "GET /.env HTTP/1.1" 404 463 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0

Re: [Fail2ban-users] possible to create jails from HHTP statuscodes

2021-04-17 Thread Peter Heirich
Hi Peter, thaks for your E-Mail. OK. A typo also may cause an error code. But what is if i make a jail for someone which causes 5 or ten error codes in let's say a minute or two ? Fail2ban should be able to do this. 5 or ten error codes with a typo ... not so likely. Bernd Try it. However

Re: [Fail2ban-users] Drop Established Connection on Ban

2021-05-03 Thread Peter Heirich
Am 03.05.2021 um 16:47 schrieb Kenneth Porter:  I haven't found anything on rate-limiting it except as an anti-spam measure. However, sendmail runs milter. They made for sendmail native. There is milter-greylist, which have "rcptcount". You can cause a abort after a number of RCPT TO: from

Re: [Fail2ban-users] Help needed with regex

2023-10-19 Thread Peter Heirich
I think, you are not aware, what 192.168.10.y means. this is the IP-address seen inside the docker container. This IP is created by NAT on your host. If you block them, you are not blocking access from outside to your host, but blocking the way back from docker container to your host interna

Re: [Fail2ban-users] Help needed with regex

2023-10-19 Thread Peter Heirich
Am 19.10.2023 um 18:52 schrieb Marcel Blenkers: Hi Peter, thanks for the reply. Unfortunatly i forgot something i changed the ip for datapeotection the ip 192.168.10.10 is actually the ip which is accessing the webserver. so it shows the correct ip, just not in my