когда я бегу:
fail2ban-regex /var/log/mail.warn /etc/fail2ban/filter.d/sasl.conf
вывод:
Date template hits:
8158 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 2571
However, look at the above section 'Running tests' which could contain important
information.
Но в /var/log/fail2ban.log я вижу только:
2016-07-25 15:35:08,114 fail2ban.actions: WARNING [postfix] Ban 128.71.157.134
2016-07-25 15:35:12,121 fail2ban.actions: WARNING [postfix] Ban 200.93.71.213
2016-07-25 15:35:14,127 fail2ban.actions: WARNING [postfix] Ban 191.37.28.19
2016-07-25 15:37:27,266 fail2ban.actions: WARNING [postfix] Ban 23.226.94.47
2016-07-25 15:37:42,285 fail2ban.actions: WARNING [postfix] Ban 82.200.207.18
2016-07-25 15:38:20,328 fail2ban.actions: WARNING [postfix] Ban 218.69.89.244
2016-07-25 15:38:32,344 fail2ban.actions: WARNING [postfix] Ban 93.191.155.58
2016-07-25 15:38:38,353 fail2ban.actions: WARNING [postfix] Ban 62.168.116.34
2016-07-25 15:39:17,397 fail2ban.actions: WARNING [postfix] Ban 50.4.186.102
Вывод iptables:
iptables -L -n -v
Chain INPUT (policy DROP 2 packets, 650 bytes)
pkts bytes target prot opt in out source destination
19420 3199K fail2ban-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995
19420 3199K fail2ban-courierauth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995
2677 2064K fail2ban-couriersmtp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
2677 2064K fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
1038 1097K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 DROP all -- * * 69.198.228.98 0.0.0.0/0
61 3088 DROP all -- * * 112.219.123.163 0.0.0.0/0
294 17640 DROP all -- * * 78.129.161.51 0.0.0.0/0
18 892 DROP all -- * * 104.160.176.122 0.0.0.0/0
4892 249K DROP all -- * * 185.125.4.198 0.0.0.0/0
17 972 DROP all -- * * 115.78.161.99 0.0.0.0/0
22 1000 DROP all -- * * 178.216.52.194 0.0.0.0/0
15 900 DROP all -- * * 104.220.22.74 0.0.0.0/0
42 1908 DROP all -- * * 41.21.224.69 0.0.0.0/0
16158 776K DROP all -- * * 63.245.88.182 0.0.0.0/0
16M 747M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
4448K 369M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
13449 1580K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
3012M 460G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,80,110,143,443,465,587,993,995,4780
550M 840G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3367K 202M ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
382K 24M ACCEPT all -- * * 46.29.21.36 0.0.0.0/0
0 0 ACCEPT all -- * * 46.29.19.139 0.0.0.0/0
46 2348 ACCEPT all -- * * 89.72.136.76 0.0.0.0/0
433 24896 ACCEPT all -- * * 79.190.94.10 0.0.0.0/0
477K 28M ACCEPT all -- * * 31.172.189.224/28 0.0.0.0/0
97 5820 ACCEPT all -- * * 212.87.244.201 0.0.0.0/0
147 8820 ACCEPT all -- * * 79.189.159.82 0.0.0.0/0
226K 14M ACCEPT all -- * * 62.121.130.38 0.0.0.0/0
11031 662K ACCEPT all -- * * 188.165.214.141 0.0.0.0/0
996 59760 ACCEPT all -- * * 95.155.74.167 0.0.0.0/0
174 10440 ACCEPT all -- * * 46.29.21.211 0.0.0.0/0
Chain fail2ban-courierauth (1 references)
pkts bytes target prot opt in out source destination
19420 3199K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-couriersmtp (1 references)
pkts bytes target prot opt in out source destination
2677 2064K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
4 352 DROP all -- * * 174.140.160.27 0.0.0.0/0
0 0 DROP all -- * * 72.19.61.71 0.0.0.0/0
17 1256 DROP all -- * * 116.212.109.197 0.0.0.0/0
19 1507 DROP all -- * * 76.179.12.38 0.0.0.0/0
20 1454 DROP all -- * * 50.4.186.102 0.0.0.0/0
20 1436 DROP all -- * * 62.168.116.34 0.0.0.0/0
0 0 DROP all -- * * 93.191.155.58 0.0.0.0/0
17 976 DROP all -- * * 218.69.89.244 0.0.0.0/0
0 0 DROP all -- * * 82.200.207.18 0.0.0.0/0
4 232 DROP all -- * * 23.226.94.47 0.0.0.0/0
15 876 DROP all -- * * 191.37.28.19 0.0.0.0/0
/etc/fail2ban/filter.d/sasl.conf
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
/etc/fail2ban/jail.conf
256 [sasl]
257
258 enabled = true
259 port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
260 filter = sasl
261 # You might consider monitoring /var/log/mail.warn instead if you are
262 # running postfix since it would provide the same log lines at the
263 # "warn" level but overall at the smaller filesize.
264 logpath = /var/log/mail.log
Есть идеи, что проверить?