Назад | Перейти на главную страницу

fail2ban бан saslauthd не работает

когда я бегу:

fail2ban-regex /var/log/mail.warn /etc/fail2ban/filter.d/sasl.conf

вывод:

Date template hits:
8158 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 2571

However, look at the above section 'Running tests' which could contain important
information.

Но в /var/log/fail2ban.log я вижу только:

2016-07-25 15:35:08,114 fail2ban.actions: WARNING [postfix] Ban 128.71.157.134
2016-07-25 15:35:12,121 fail2ban.actions: WARNING [postfix] Ban 200.93.71.213
2016-07-25 15:35:14,127 fail2ban.actions: WARNING [postfix] Ban 191.37.28.19
2016-07-25 15:37:27,266 fail2ban.actions: WARNING [postfix] Ban 23.226.94.47
2016-07-25 15:37:42,285 fail2ban.actions: WARNING [postfix] Ban 82.200.207.18
2016-07-25 15:38:20,328 fail2ban.actions: WARNING [postfix] Ban 218.69.89.244
2016-07-25 15:38:32,344 fail2ban.actions: WARNING [postfix] Ban 93.191.155.58
2016-07-25 15:38:38,353 fail2ban.actions: WARNING [postfix] Ban 62.168.116.34
2016-07-25 15:39:17,397 fail2ban.actions: WARNING [postfix] Ban 50.4.186.102

Вывод iptables:

iptables -L -n -v

Chain INPUT (policy DROP 2 packets, 650 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19420 3199K fail2ban-sasl  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,143,220,993,110,995
19420 3199K fail2ban-courierauth  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,143,220,993,110,995
 2677 2064K fail2ban-couriersmtp  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
 2677 2064K fail2ban-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
 1038 1097K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 DROP       all  --  *      *       69.198.228.98        0.0.0.0/0           
   61  3088 DROP       all  --  *      *       112.219.123.163      0.0.0.0/0           
  294 17640 DROP       all  --  *      *       78.129.161.51        0.0.0.0/0           
   18   892 DROP       all  --  *      *       104.160.176.122      0.0.0.0/0           
 4892  249K DROP       all  --  *      *       185.125.4.198        0.0.0.0/0           
   17   972 DROP       all  --  *      *       115.78.161.99        0.0.0.0/0           
   22  1000 DROP       all  --  *      *       178.216.52.194       0.0.0.0/0           
   15   900 DROP       all  --  *      *       104.220.22.74        0.0.0.0/0           
   42  1908 DROP       all  --  *      *       41.21.224.69         0.0.0.0/0           
16158  776K DROP       all  --  *      *       63.245.88.182        0.0.0.0/0           
  16M  747M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4448K  369M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
13449 1580K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
3012M  460G ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,80,110,143,443,465,587,993,995,4780
 550M  840G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3367K  202M ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
 382K   24M ACCEPT     all  --  *      *       46.29.21.36          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       46.29.19.139         0.0.0.0/0           
   46  2348 ACCEPT     all  --  *      *       89.72.136.76         0.0.0.0/0           
  433 24896 ACCEPT     all  --  *      *       79.190.94.10         0.0.0.0/0           
 477K   28M ACCEPT     all  --  *      *       31.172.189.224/28    0.0.0.0/0           
   97  5820 ACCEPT     all  --  *      *       212.87.244.201       0.0.0.0/0           
  147  8820 ACCEPT     all  --  *      *       79.189.159.82        0.0.0.0/0           
 226K   14M ACCEPT     all  --  *      *       62.121.130.38        0.0.0.0/0           
11031  662K ACCEPT     all  --  *      *       188.165.214.141      0.0.0.0/0           
  996 59760 ACCEPT     all  --  *      *       95.155.74.167        0.0.0.0/0           
  174 10440 ACCEPT     all  --  *      *       46.29.21.211         0.0.0.0/0           
Chain fail2ban-courierauth (1 references)
 pkts bytes target     prot opt in     out     source               destination         
19420 3199K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain fail2ban-couriersmtp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2677 2064K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain fail2ban-postfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   352 DROP       all  --  *      *       174.140.160.27       0.0.0.0/0           
    0     0 DROP       all  --  *      *       72.19.61.71          0.0.0.0/0           
   17  1256 DROP       all  --  *      *       116.212.109.197      0.0.0.0/0           
   19  1507 DROP       all  --  *      *       76.179.12.38         0.0.0.0/0           
   20  1454 DROP       all  --  *      *       50.4.186.102         0.0.0.0/0           
   20  1436 DROP       all  --  *      *       62.168.116.34        0.0.0.0/0           
    0     0 DROP       all  --  *      *       93.191.155.58        0.0.0.0/0           
   17   976 DROP       all  --  *      *       218.69.89.244        0.0.0.0/0           
    0     0 DROP       all  --  *      *       82.200.207.18        0.0.0.0/0           
    4   232 DROP       all  --  *      *       23.226.94.47         0.0.0.0/0           
   15   876 DROP       all  --  *      *       191.37.28.19         0.0.0.0/0           

/etc/fail2ban/filter.d/sasl.conf

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

/etc/fail2ban/jail.conf

  256 [sasl]
  257 
  258 enabled  = true
  259 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  260 filter   = sasl
  261 # You might consider monitoring /var/log/mail.warn instead if you are
  262 # running postfix since it would provide the same log lines at the
  263 # "warn" level but overall at the smaller filesize.
  264 logpath  = /var/log/mail.log

Есть идеи, что проверить?