Fail2ban jail not firing


Used fail2ban in a few different methods, and have now tried to get it to block hack attempts via smtp for sending spam through server.

Regex matches ok when testing:

|- Regular expressions:
|  [1] \[<HOST>\]: 535 Incorrect authentication data
`- Number of matches:
   [1] 147 match(es)

Jail loads ok:

2014-03-04 21:16:46,162 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-03-04 21:16:46,163 fail2ban.jail   : INFO   Creating new jail 'exim-auth'
2014-03-04 21:16:46,165 fail2ban.jail   : INFO   Jail 'exim-auth' uses Gamin
2014-03-04 21:16:46,187 fail2ban.filter : INFO   Added logfile = /var/log/exim/main.log
2014-03-04 21:16:46,188 fail2ban.filter : INFO   Set maxRetry = 3
2014-03-04 21:16:46,190 fail2ban.filter : INFO   Set findtime = 3600
2014-03-04 21:16:46,191 fail2ban.actions: INFO   Set banTime = 3600
2014-03-04 21:16:46,205 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2014-03-04 21:16:46,206 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
2014-03-04 21:16:46,207 fail2ban.filter : INFO   Added logfile = /var/log/secure
2014-03-04 21:16:46,208 fail2ban.filter : INFO   Set maxRetry = 5
2014-03-04 21:16:46,210 fail2ban.filter : INFO   Set findtime = 3600
2014-03-04 21:16:46,211 fail2ban.actions: INFO   Set banTime = 3600
2014-03-04 21:16:46,410 fail2ban.jail   : INFO   Jail 'exim-auth' started
2014-03-04 21:16:46,439 fail2ban.jail   : INFO   Jail 'ssh-iptables' started

And ssh bans are still working ok. Even when errors go through the log, nothing happens. All time in sync, syslog, fail2ban and exim all restarted.

Exim mainlog:

2014-03-04 21:16:24 no host name found for IP address
2014-03-04 21:16:24 auth_plain authenticator failed for ([]) []: 535 Incorrect authentication data (set_id=jamie@****
2014-03-04 21:16:30 no host name found for IP address
2014-03-04 21:16:30 auth_plain authenticator failed for ([]) []: 535 Incorrect authentication data (set_id=jamie@****
2014-03-04 21:16:38 no host name found for IP address
2014-03-04 21:16:38 auth_plain authenticator failed for ([]) []: 535 Incorrect authentication data (set_id=jamie@****

(obviously the xxx and **** are now edited in).

Config for section of jail.conf:


enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5


enabled = true
filter = exim_auth
action = iptables[name=SMTP, port=25, protocol=tcp]
         mail[name=EximAuth, dest=jamie@****]
logpath = /var/log/exim/main.log
maxretry = 3

File parses ok, and I get an email successfully saying when the jail has stopped and started.


# Fail2Ban configuration file
# $Revision$


# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
failregex = \[<HOST>\]: 535 Incorrect authentication data

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

If anyone can figure out why it is not triggering, and also for a bonus point where I can run two iptables actions to block both ports 25 and 465, I'd really appreciate it.

Best Answer

Ok, I have resolved my own problem. Patience, and lack of debug as usual.

Everyone was perfect. The one factor is the abnormally large logfile caused by the compromised account meant fail2ban has a 1.2GB file to process, and that was taking a LONG time.

Setting debug to 4 showed all of the lines being skipped, quick verification of the timestamp on each showed they were old.

Force a logrotate, nice fresh file to use and triggers everything fine.

Related Topic