fail2ban - why is it not blocking? Troubleshooting help needed

rs232 · 06-23-2016, 11:19 AM

Hi all

I have been playing with fail2ban as I have a couple of attacks running pretty much constantly. The service I would liek to protect is smtp and smtps

So my Jail.conf looks like this:

Code:

# ASSP SMTP Proxy Jail
[assp]

enabled  = true
port     = smtp,465,submission
filter   = assp
logpath  = /usr/local/assp/logs/maillog.txt
maxretry = 3
findtime = 3600
bantime  = 10080

and the assp.conf under fail2ban.d is as follow:

Code:

# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
#
#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
#

[Definition]

__assp_actions = (?:dropping|refusing)

failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
                        ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
                        ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
                        <HOST> .*?authentication failed

ignoreregex =

# DEV Notes:
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de

When I check the regular expression it looks ok to me:

Code:

fail2ban-regex /usr/local/assp/logs/maillog.txt /etc/fail2ban/fail2ban.d/assp.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/fail2ban.d/assp.conf
Use         log file : /usr/local/assp/logs/maillog.txt
Use         encoding : UTF-8


Results
=======

Failregex: 313 total
|-  #) [# of hits] regular expression
|   4) [313] <HOST> .*?authentication failed
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1608] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 1609 lines, 0 ignored, 313 matched, 1296 missed [processed in 1.01 sec]
Missed line(s): too many to print.  Use --print-all-missed to print all 1296 lines

But I see no IP jailed:

Code:

fail2ban-client status assp
Status for the jail: assp
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /usr/local/assp/logs/maillog.txt
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

I can't figure out what's broken :-/

Anybody has any input on where to look next?

Thanks!
rs232

Habitual · 06-23-2016, 11:33 AM

I suggest a default value of

Code:

findtime = 600

Did you restart f2b after making edits?
Possible to change /etc/fail2ban/fail2ban.conf (or even in your jail.conf?)

Code:

loglevel = 4

Restart and keep any eye on /var/log/fail2ban.log
for outstanding entries.

When was the last time this worked?
Is /etc/fail2ban/fail2ban.d/assp.conf the one that came installed?

If the manual run of

Code:

fail2ban-regex /usr/local/assp/logs/maillog.txt /etc/fail2ban/fail2ban.d/assp.conf

find hits (but makes you run switches to see them all?), when you restart fail2ban it should ban
everything it found within the last 600 seconds when you restart fail2ban.

I don't see a banaction statement?
Using [DEFAULT] then? what is it?

I'd copy jail.conf to jail.local else during an upgrade, all your precious work gets over-written.

Code:

cp /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.local

Same goes for custom filters and actions.

Let us know...