OVH Community, votre nouvel espace communautaire.

fail2ban : jail qui n'existe pas


nono67
12/11/2014, 14h39
Personne pour m'aider
nono67
10/11/2014, 09h52
Le filtre sur le pop3 marche à merveille

Je voudrais mettre en place le fail apache-badbots mais le regex dans le fichier /etc/fail2ban/filter.d/apache-badbots.conf ne semble pas fonctionner, je pense que c'est un souci de regex mais je suis nul en regex et je trouve rien sur google pour m'aider

Voici le type de ligne que je trouve dans mes access_log :
Code:
ec2-54-165-90-230.compute-1.amazonaws.com - - [08/Nov/2014:21:57:18 +0100] "GET / HTTP/1.1" 500 - "-" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)"
197.203.187.19 - - [08/Nov/2014:21:57:20 +0100] "GET /favicon.ico HTTP/1.1" 200 507 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"
ec2-54-172-10-151.compute-1.amazonaws.com - - [08/Nov/2014:21:58:16 +0100] "GET / HTTP/1.1" 500 - "-" "A6-Indexer/1.0 (http://www.a6corp.com/a6-web-scraping-policy/)"
ec2-54-84-198-40.compute-1.amazonaws.com - - [08/Nov/2014:21:58:36 +0100] "GET /robots.txt HTTP/1.1" 500 - "-" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)"
Je voudrais bannir l'ip de proximic via ma règle contenue dans /etc/fail2ban/filter.d/apache-badbots.conf , j'ai essayé cela mais ça fonctionne pas :
Code:
# Fail2Ban configuration file
#
# List of bad bots fetched from http://www.user-agents.org
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
#
# Author: Yaroslav Halchenko
#
# $Revision: 668 $
#

[Definition]

badbots = proximic

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#

failregex = ^.*"(?:%(badbots)s)"$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Lorsque je fais fail2ban-regex /home/log/mail.log /etc/fail2ban/filter.d/apache-badbots.conf voici le résultat :
Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-badbots.conf
Use log file   : /home/log/mail.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^.*"(?:proximic)"$
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
Il devrait trouver la chaine proximic dans mes logs mais ce n'est pas le cas

Voyez-vous l'erreur dans la regex ?
nono67
07/11/2014, 17h21
J'ai modifié :
Code:
[qmail-vpopmail-pop3-user-notfound]

enabled = true
filter = qmail-vpopmail-pop3-username
action = iptables[name=pop3, port=110, protocol=tcp]
logpath = /home/log/mail.log
maxretry = 5
bantime = 864000
findtime = 3600
En remplacant action = iptables[name=pop3, port="110,995,", protocol=tcp] par action = iptables[name=pop3, port=110, protocol=tcp] et lorsque je fais iptables -L -v -n --line-numbers voici le résultat :
Code:
Chain INPUT (policy ACCEPT 86267 packets, 453M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 fail2ban-SMTP  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
2        0     0 fail2ban-pop3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110
3        0     0 fail2ban-ProFTPD  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
4        8   528 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
5        0     0 DROP       all  --  *      *       217.69.135.0/24      0.0.0.0/0
6      120  7200 DROP       all  --  *      *       96.47.225.0/24       0.0.0.0/0
7      360 21600 DROP       all  --  *      *       96.47.224.0/24       0.0.0.0/0
8     3796  228K DROP       all  --  *      *       217.69.133.0/24      0.0.0.0/0
9        1   125 DROP       all  --  *      *       217.69.134.0/24      0.0.0.0/0
10       0     0 DROP       all  --  *      *       14.121.5.0/24        0.0.0.0/0
11     756 45360 DROP       all  --  *      *       46.229.164.0/24      0.0.0.0/0
12       0     0 DROP       all  --  *      *       96.47.224.0/24       0.0.0.0/0
13     444 26640 DROP       all  --  *      *       173.44.37.0/24       0.0.0.0/0
14       0     0 DROP       all  --  *      *       5.56.133.86          0.0.0.0/0
15       0     0 DROP       all  --  *      *       77.88.219.242        0.0.0.0/0
16       0     0 DROP       all  --  *      *       96.47.225.162        0.0.0.0/0
17   36754 2205K DROP       all  --  *      *       198.143.158.178      0.0.0.0/0
18       0     0 DROP       all  --  *      *       2.228.124.196        0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 86236 packets, 453M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ProFTPD (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SMTP (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        8   528 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-pop3 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
J'ai maintenant la règle pop3 : 2 0 0 fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110

J'espère maintenant que ça va me bannir les IP des attack sur pop3
nono67
07/11/2014, 16h58
Après avoir stoppé fail2ban, voici le résultat de iptables -L -v -n --line-numbers
Code:
Chain INPUT (policy ACCEPT 45305 packets, 228M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       217.69.135.0/24      0.0.0.0/0
2      120  7200 DROP       all  --  *      *       96.47.225.0/24       0.0.0.0/0
3      360 21600 DROP       all  --  *      *       96.47.224.0/24       0.0.0.0/0
4     3796  228K DROP       all  --  *      *       217.69.133.0/24      0.0.0.0/0
5        1   125 DROP       all  --  *      *       217.69.134.0/24      0.0.0.0/0
6        0     0 DROP       all  --  *      *       14.121.5.0/24        0.0.0.0/0
7      756 45360 DROP       all  --  *      *       46.229.164.0/24      0.0.0.0/0
8        0     0 DROP       all  --  *      *       96.47.224.0/24       0.0.0.0/0
9      444 26640 DROP       all  --  *      *       173.44.37.0/24       0.0.0.0/0
10       0     0 DROP       all  --  *      *       5.56.133.86          0.0.0.0/0
11       0     0 DROP       all  --  *      *       77.88.219.242        0.0.0.0/0
12       0     0 DROP       all  --  *      *       96.47.225.162        0.0.0.0/0
13   36754 2205K DROP       all  --  *      *       198.143.158.178      0.0.0.0/0
14       0     0 DROP       all  --  *      *       2.228.124.196        0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 45213 packets, 228M bytes)
num   pkts bytes target     prot opt in     out     source               destination
Pourquoi la règle xx xx xx fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 n'est pas inscrite et comment l'inscrire ?
Nowwhat
07/11/2014, 16h44
Citation Envoyé par nono67
Pourquoi sur la ligne "Chain fail2ban-POP3" il y a (0 references) ? Les autres ont (1 references).
Double réponse:
car la "Chain fail2ban-POP3" n'existe plus, c'est "fail2ban-pop3" maintenant.
Les règles sont inséré dans "fail2ban-pop3", peut être .... mais ça ne servira à rien.
Car: regarde les premier règles dans le "INPUT": il manque ce règle:
xx xx xx fail2ban-pop3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
Le règle "pop3" ne sera jamais prise en compte.

Quand tu stop fail2ban d'abord, et tu lance un
iptables -L -v -n --line-numbers
ça donne quoi (entre [CODE] ... [/CODE] stp, pas [QUOTE] .... [/QUOTE]
nono67
07/11/2014, 16h20
Merci pour ta réponse.

Oui je sais que Gentoo R2 est mort, j'ai fait parti des "victimes" de la dernière vague... euh pardon du Tsunami du mois d'octobre... qui a tué la R2 et a donné naissance à la R3 (qui était en Bêta à l'époque) mais qui est "maintenant" en service... je vais migrer petit à petit mes sites sur un nouveau serveur maus j'hésite encore sur la config à prendre

Voici le résultat de iptables -L -v -n --line-numbers :
Chain INPUT (policy ACCEPT 180M packets, 920G bytes)
num pkts bytes target prot opt in out source destination
1 15355 18M fail2ban-SMTP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
2 930 45144 fail2ban-ProFTPD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt :21
3 401 28203 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 0 0 DROP all -- * * 217.69.135.0/24 0.0.0.0/0
5 120 7200 DROP all -- * * 96.47.225.0/24 0.0.0.0/0
6 360 21600 DROP all -- * * 96.47.224.0/24 0.0.0.0/0
7 3796 228K DROP all -- * * 217.69.133.0/24 0.0.0.0/0
8 1 125 DROP all -- * * 217.69.134.0/24 0.0.0.0/0
9 0 0 DROP all -- * * 14.121.5.0/24 0.0.0.0/0
10 756 45360 DROP all -- * * 46.229.164.0/24 0.0.0.0/0
11 0 0 DROP all -- * * 96.47.224.0/24 0.0.0.0/0
12 444 26640 DROP all -- * * 173.44.37.0/24 0.0.0.0/0
13 0 0 DROP all -- * * 5.56.133.86 0.0.0.0/0
14 0 0 DROP all -- * * 77.88.219.242 0.0.0.0/0
15 0 0 DROP all -- * * 96.47.225.162 0.0.0.0/0
16 36754 2205K DROP all -- * * 198.143.158.178 0.0.0.0/0
17 0 0 DROP all -- * * 2.228.124.196 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 180M packets, 922G bytes)
num pkts bytes target prot opt in out source destination

Chain fail2ban-POP3 (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ProFTPD (1 references)
num pkts bytes target prot opt in out source destination
1 34 1644 DROP all -- * * 177.85.6.102 0.0.0.0/0
2 23 1076 DROP all -- * * 176.31.17.46 0.0.0.0/0
3 38 1720 DROP all -- * * 187.1.147.36 0.0.0.0/0
4 835 40704 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SMTP (1 references)
num pkts bytes target prot opt in out source destination
1 15355 18M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 16 1252 DROP all -- * * 112.216.64.162 0.0.0.0/0
2 6 390 DROP all -- * * 111.205.58.66 0.0.0.0/0
3 379 26561 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
J'ai changé le "POP3" par "pop3" et j'ai redémarré fail2ban, voici le résultat de iptables -L -v -n --line-numbers :

Chain INPUT (policy ACCEPT 2373K packets, 12G bytes)
num pkts bytes target prot opt in out source destination
1 29 12332 fail2ban-SMTP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
2 0 0 fail2ban-ProFTPD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3 19 1136 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 0 0 DROP all -- * * 217.69.135.0/24 0.0.0.0/0
5 120 7200 DROP all -- * * 96.47.225.0/24 0.0.0.0/0
6 360 21600 DROP all -- * * 96.47.224.0/24 0.0.0.0/0
7 3796 228K DROP all -- * * 217.69.133.0/24 0.0.0.0/0
8 1 125 DROP all -- * * 217.69.134.0/24 0.0.0.0/0
9 0 0 DROP all -- * * 14.121.5.0/24 0.0.0.0/0
10 756 45360 DROP all -- * * 46.229.164.0/24 0.0.0.0/0
11 0 0 DROP all -- * * 96.47.224.0/24 0.0.0.0/0
12 444 26640 DROP all -- * * 173.44.37.0/24 0.0.0.0/0
13 0 0 DROP all -- * * 5.56.133.86 0.0.0.0/0
14 0 0 DROP all -- * * 77.88.219.242 0.0.0.0/0
15 0 0 DROP all -- * * 96.47.225.162 0.0.0.0/0
16 36754 2205K DROP all -- * * 198.143.158.178 0.0.0.0/0
17 0 0 DROP all -- * * 2.228.124.196 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2368K packets, 12G bytes)
num pkts bytes target prot opt in out source destination

Chain fail2ban-ProFTPD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SMTP (1 references)
num pkts bytes target prot opt in out source destination
1 29 12332 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 19 1136 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-pop3 (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Pourquoi sur la ligne "Chain fail2ban-pop3" il y a (0 references) ? Les autres ont (1 references).
Nowwhat
07/11/2014, 15h12

Par contre, il te reste un soucis majeur a traiter:
Citation Envoyé par nono67
Je suis sous Gentoo R2.
T'es au courant que ça craint un max ?


édit:
2014-11-07 03:44:21,082 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-POP3 returned 100
2014-11-07 03:44:21,082 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-11-07 03:44:27,088 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:44:34,095 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
Impossible de voir ça, là ou je suis .... je n'ai pas accès ( ).

T'aurais pas un petit
Code:
iptables -L -v -n --line-numbers
en promo ?

edit-bis:
J'ai ajouté dans mon fichier /etc/fail2ban/jail.conf le jail suivant :
[qmail-vpopmail-pop3-user-notfound]

Code:
enabled = true
filter = qmail-vpopmail-pop3-username
action = iptables[name=POP3, port="110,995" protocol=tcp]
logpath = /home/log/mail.log
maxretry = 5
bantime = 864000
findtime = 3600
T'es sur pour le "POP3" ?
Teste avec "pop3" (minuscules)
nono67
07/11/2014, 13h05
Non ce coup ce n'est pas une erreur mais bien un problème.

Qu'est-ce qui cloche ? Pourquoi les IP ne sont pas bannit ?
bbr18
07/11/2014, 08h26
erreur... on oublie
nono67
07/11/2014, 07h43
Bon ben finalement je ré-ouvre mon post car le jail [qmail-vpopmail-pop3-user-notfound] que j'ai mis en place ci-dessus ne fonctionne pas, les adresses IP ne sont pas bannit

J'ai ça dans mes logs de d'email (mail.log) :
Nov 7 03:44:14 nsXXXX vpopmail[26932]: vchkpw-pop3: vpopmail user not found staff@:211.235.228.43
Nov 7 03:44:15 nsXXXX vpopmail[26959]: vchkpw-pop3: vpopmail user not found staff@:211.235.228.43
Nov 7 03:44:17 nsXXXX vpopmail[26968]: vchkpw-pop3: vpopmail user not found staff@:211.235.228.43
Nov 7 03:44:18 nsXXXX vpopmail[26978]: vchkpw-pop3: vpopmail user not found staff@:211.235.228.43
Nov 7 03:44:19 nsXXXX vpopmail[26991]: vchkpw-pop3: vpopmail user not found sales@:211.235.228.43
Nov 7 03:44:21 nsXXXX vpopmail[26999]: vchkpw-pop3: vpopmail user not found sales@:211.235.228.43
Nov 7 03:44:22 nsXXXX vpopmail[27023]: vchkpw-pop3: vpopmail user not found sales@:211.235.228.43
Nov 7 03:44:23 nsXXXX vpopmail[27035]: vchkpw-pop3: vpopmail user not found sales@:211.235.228.43
Nov 7 03:44:24 nsXXXX vpopmail[27045]: vchkpw-pop3: vpopmail user not found recruit@:211.235.228.43
Nov 7 03:44:26 nsXXXX vpopmail[27057]: vchkpw-pop3: vpopmail user not found alias@:211.235.228.43
Nov 7 03:44:27 nsXXXX vpopmail[27065]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:28 nsXXXX vpopmail[27079]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:29 nsXXXX vpopmail[27091]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:31 nsXXXX vpopmail[27109]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:33 nsXXXX vpopmail[27125]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:34 nsXXXX vpopmail[27135]: vchkpw-pop3: vpopmail user not found office@:211.235.228.43
Nov 7 03:44:35 nsXXXX vpopmail[27144]: vchkpw-pop3: vpopmail user not found info@:211.235.228.43
Nov 7 03:44:36 nsXXXX vpopmail[27154]: vchkpw-pop3: vpopmail user not found test@:211.235.228.43
Nov 7 03:44:38 nsXXXX vpopmail[27164]: vchkpw-pop3: vpopmail user not found admin@:211.235.228.43
Nov 7 03:44:39 nsXXXX vpopmail[27176]: vchkpw-pop3: vpopmail user not found samba@:211.235.228.43
Nov 7 03:44:40 nsXXXX vpopmail[27183]: vchkpw-pop3: vpopmail user not found lisa@:211.235.228.43
Nov 7 03:44:41 nsXXXX vpopmail[27194]: vchkpw-pop3: vpopmail user not found lisa@:211.235.228.43
Nov 7 03:44:43 nsXXXX vpopmail[27204]: vchkpw-pop3: vpopmail user not found ricky@:211.235.228.43
etc.....
Cette IP aurait du être bannit au bout de la 5ième tentatives mais c'est pas le cas.

J'ai ça dans mes log de fail2ban :
2014-11-07 03:44:21,082 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-POP3 returned 100
2014-11-07 03:44:21,082 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-11-07 03:44:27,088 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:44:34,095 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:44:40,101 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:44:47,109 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:44:54,116 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:00,121 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:06,127 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:14,136 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:20,141 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:26,147 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:32,153 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:42,163 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:48,169 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:45:54,176 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:00,181 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:08,189 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:14,196 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:20,201 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:26,207 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:33,214 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:41,222 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:47,229 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:46:53,234 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:01,243 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:07,248 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:13,254 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:19,261 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:27,268 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:33,274 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:39,280 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:45,287 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:52,293 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:47:58,299 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:04,306 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:10,311 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:18,320 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:24,326 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:30,332 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:36,339 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:44,346 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:50,352 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:48:56,359 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:02,364 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:09,372 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:15,378 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:21,383 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:27,389 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:33,395 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:40,402 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:46,412 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:52,418 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:49:58,424 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:06,432 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:13,439 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:19,445 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:27,453 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:33,460 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:41,468 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:47,473 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:53,479 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:50:59,485 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:06,493 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:12,499 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:18,505 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:24,510 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:30,516 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:38,524 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:44,530 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:50,536 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:51:58,545 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:04,551 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:11,559 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:17,564 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:23,571 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:31,578 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:40,588 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:47,595 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:53,600 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:52:59,607 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:06,614 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:17,626 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:23,633 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:29,639 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:35,645 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:42,652 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:48,658 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:53:55,665 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:54:01,671 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
2014-11-07 03:54:07,677 fail2ban.actions: WARNING [qmail-vpopmail-pop3-user-notfound] 211.235.228.43 already banned
Pouvez-vous m'aider ? Qu'est-ce qui cloche ?
bbr18
05/11/2014, 07h36
de plus centos r2 n'existe pas c'est centos r3 et ça utilise postfix et non qmail
TBC_Ly0n
04/11/2014, 23h05
Ravi d'avoir pu aider
nono67
04/11/2014, 21h38
Bon ben là il faut que j'aille me coucher, il suffit de taper /usr/bin/fail2ban-client status qmail-vpopmail-pop3-user-notfound et non pas /usr/bin/fail2ban-client status qmail-vpopmail-pop3-username pour que ça afffiche bien :
Status for the jail: qmail-vpopmail-pop3-user-notfound
|- filter
| |- File list: /home/log/mail.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
Je ferme donc ce thread après l'avoir ouvert il y a 10 minutes
nono67
04/11/2014, 21h24
Salut à tous,

Je suis sous Gentoo R2.

J'ai ajouté dans mon fichier /etc/fail2ban/jail.conf le jail suivant :
[qmail-vpopmail-pop3-user-notfound]

enabled = true
filter = qmail-vpopmail-pop3-username
action = iptables[name=POP3, port="110,995" protocol=tcp]
logpath = /home/log/mail.log
maxretry = 5
bantime = 864000
findtime = 3600
J'ai crée un fichier qmail-vpopmail-pop3-username.conf que j'ai mis dans /etc/fail2ban/filter.d/ et dont le contenu de ce fichier est :
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*@:$
vchkpw-pop3: vpopmail user not found [^@]*@[^:]*:$


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Quand je tape /usr/bin/fail2ban-client status j'ai :
Status
|- Number of jail: 5
`- Jail list: proftpd-iptables, qmail-vpopmail-pop3-user-notfound, qmail-vpopmail-smtp-user-notfound, qmail-vpopmail-password-fail, ssh-iptables
Quand je teste ma règle fail2ban-regex /home/log/mail.log /etc/fail2ban/filter.d/qmail-vpopmail-pop3-username.conf j'obtiens :
......
61.190.35.124 (Sun Nov 02 14:54:58 2014)
61.190.35.124 (Sun Nov 02 14:55:00 2014)
61.190.35.124 (Sun Nov 02 14:55:02 2014)
61.190.35.124 (Sun Nov 02 14:55:04 2014)
61.190.35.124 (Sun Nov 02 14:55:06 2014)
61.190.35.124 (Sun Nov 02 14:55:08 2014)
61.190.35.124 (Sun Nov 02 14:55:10 2014)
61.190.35.124 (Sun Nov 02 14:55:12 2014)
61.190.35.124 (Sun Nov 02 14:55:17 2014)
61.190.35.124 (Sun Nov 02 14:55:19 2014)
61.190.35.124 (Sun Nov 02 14:55:21 2014)
61.190.35.124 (Sun Nov 02 14:55:23 2014)
61.190.35.124 (Sun Nov 02 14:55:26 2014)
61.190.35.124 (Sun Nov 02 14:55:31 2014)
61.190.35.124 (Sun Nov 02 14:55:33 2014)
61.190.35.124 (Sun Nov 02 14:55:36 2014)
61.190.35.124 (Sun Nov 02 14:55:38 2014)
61.190.35.124 (Sun Nov 02 14:55:40 2014)
61.190.35.124 (Sun Nov 02 14:55:41 2014)
61.190.35.124 (Sun Nov 02 14:55:55 2014)
61.190.35.124 (Sun Nov 02 14:55:57 2014)
61.190.35.124 (Sun Nov 02 14:55:59 2014)
61.190.35.124 (Sun Nov 02 14:56:01 2014)
61.190.35.124 (Sun Nov 02 14:56:16 2014)
61.190.35.124 (Sun Nov 02 14:56:18 2014)
61.190.35.124 (Sun Nov 02 14:56:20 2014)
61.190.35.124 (Sun Nov 02 14:56:31 2014)
61.190.35.124 (Sun Nov 02 14:56:33 2014)
61.190.35.124 (Sun Nov 02 14:56:36 2014)
61.190.35.124 (Sun Nov 02 14:56:47 2014)
151.236.52.44 (Sun Nov 02 15:18:47 2014)
151.236.52.44 (Sun Nov 02 15:18:47 2014)
151.236.52.44 (Sun Nov 02 15:18:47 2014)
151.236.52.44 (Sun Nov 02 16:07:45 2014)
151.236.52.44 (Sun Nov 02 16:07:45 2014)
151.236.52.44 (Sun Nov 02 16:07:45 2014)
94.102.60.180 (Sun Nov 02 16:57:14 2014)
151.236.52.44 (Sun Nov 02 18:39:05 2014)
151.236.52.44 (Sun Nov 02 18:39:25 2014)
151.236.52.44 (Sun Nov 02 21:07:01 2014)
151.236.52.44 (Sun Nov 02 21:55:34 2014)
151.236.52.44 (Sun Nov 02 21:55:53 2014)
151.236.52.44 (Sun Nov 02 21:55:53 2014)
151.236.52.44 (Sun Nov 02 21:55:53 2014)
151.236.52.44 (Sun Nov 02 22:44:24 2014)
151.236.52.44 (Sun Nov 02 22:44:43 2014)
151.236.52.44 (Sun Nov 02 22:44:43 2014)
151.236.52.44 (Sun Nov 02 22:44:43 2014)
151.236.52.44 (Mon Nov 03 00:20:17 2014)
151.236.52.44 (Mon Nov 03 00:20:36 2014)
151.236.52.44 (Mon Nov 03 09:22:07 2014)
151.236.52.44 (Mon Nov 03 14:13:49 2014)
151.236.52.44 (Mon Nov 03 14:13:49 2014)
151.236.52.44 (Mon Nov 03 15:02:36 2014)
151.236.52.44 (Mon Nov 03 15:02:55 2014)
151.236.52.44 (Mon Nov 03 15:02:55 2014)
178.216.52.114 (Tue Nov 04 16:06:40 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:40 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:40 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:41 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:41 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:42 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:42 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:42 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:43 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:43 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:43 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:44 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:44 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:45 2014) (already matched)
178.216.52.114 (Tue Nov 04 16:06:45 2014) (already matched)

Date template hits:
9834 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 1200

However, look at the above section 'Running tests' which could contain important information.
Mais quand je tape /usr/bin/fail2ban-client status qmail-vpopmail-pop3-username j'obtient :
Sorry but the jail 'qmail-vpopmail-pop3-username' does not exist
Je ne comprend pas pourquoi il me dit que le jail qmail-vpopmail-pop3-username n'existe pas

Quelqu'un voit-il une explication ? Ai-je fait une erreur quelque part ? Comment être certain que mon jail fonctionne ?

Merci pour votre aide.