[solved] Fail2ban WARNING [sasl] xx.xx.xx.xx already banned

  • Hi,


    I have a problem with fail2ban. I take this howto: http://wiki.i-mscp.net/doku.php?id=start:howto:fail2ban for installing fail2ban.


    The problem is that it does not work with mail servers. Fail2ban recognizes the IPs and passes it to iptables on. But that's about it. If the same IP connects again, I get an already banned. The requests are still allowed through. This is only for mail that way. FTP, SSH, etc. function properly.


    I doens´t use dovecot so I configure sasl. Here my logs:


    mail.log

    Code
    1. Mar 25 15:32:09 itcweb02 postfix/smtpd[8095]: warning: unknown[182.183.250.234]: SASL LOGIN authentication failed: authentication failure


    fail2ban.log

    Code
    1. 2015-03-25 15:32:55,615 fail2ban.actions: WARNING [sasl] 182.183.250.234 already banned


    iptables -L

    Code
    1. Chain fail2ban-sasl (1 references)target prot opt source destinationDROP all -- 182.183.250.234 anywhere


    jail.local

    Code
    1. # Fail2Ban configuration file.## This file was composed for Debian systems from the original one# provided now under /usr/share/doc/fail2ban/examples/jail.conf# for additional examples.## Author: Yaroslav O. Halchenko <[email protected]>## $Revision$## The DEFAULT allows a global definition of the options. They can be overridden# in each jail afterwards.[DEFAULT]# "ignoreip" can be an IP address, a CIDR mask or a DNS hostignoreip = 127.0.0.1/8findtime = 600bantime = 6000maxretry = 3# "backend" specifies the backend used to get files modification. Available# options are "gamin", "polling" and "auto".# yoh: For some reason Debian shipped python-gamin didn't work as expected# This issue left ToDo, so polling is default backend for nowbackend = auto## Destination email address used solely for the interpolations in# jail.{conf,local} configuration files.destemail = root@localhost## ACTIONS## Default banning action (e.g. iptables, iptables-new,# iptables-multiport, shorewall, etc) It is used to define# action_* variables. Can be overridden globally or per# section within jail.local filebanaction = iptables-multiport# email action. Since 0.8.1 upstream fail2ban uses sendmail# MTA for the mailing. Change mta configuration parameter to mail# if you want to revert to conventional 'mail'.mta = sendmail# Default protocolprotocol = tcp# Specify chain where jumps would need to be added in iptables-* actionschain = INPUT## Action shortcuts. To be used to define action parameter# The simplest action to take: ban onlyaction_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report to the destemail.action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report and relevant log lines# to the destemail.action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]# Choose default action. To change, just override value of 'action' with the# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local# globally (section [DEFAULT]) or per specific sectionaction = %(action_)s## JAILS#[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6[ssh-ddos]enabled = trueport = sshfilter = sshd-ddoslogpath = /var/log/auth.logmaxretry = 6## HTTP servers i-MSCP customer sites#[apache]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/users/*error.logmaxretry = 6# default action is now multiport, so apache-multiport jail was left# for compatibility with previous (<0.7.6-2) releases[apache-multiport]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/users/*error.logmaxretry = 6[apache-noscript]enabled = trueport = http,httpsfilter = apache-noscriptlogpath = /var/log/apache2/users/*error.logmaxretry = 6[apache-overflows]enabled = trueport = http,httpsfilter = apache-overflowslogpath = /var/log/apache2/users/*error.logmaxretry = 2## HTTP servers i-MSCP Control Panel#[imscp]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/*error.logmaxretry = 6# default action is now multiport, so apache-multiport jail was left# for compatibility with previous (<0.7.6-2) releases[imscp-multiport]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/*error.logmaxretry = 6[imscp-noscript]enabled = trueport = http,httpsfilter = apache-noscriptlogpath = /var/log/apache2/*error.logmaxretry = 6[imscp-overflows]enabled = trueport = http,httpsfilter = apache-overflowslogpath = /var/log/apache2/*error.logmaxretry = 2## FTP servers#[proftpd]enabled = trueport = ftp,ftp-data,ftps,ftps-datafilter = proftpdlogpath = /var/log/auth.logmaxretry = 6## Mail servers### Mail servers authenticators: might be used for smtp,pop3,imap servers, so# all relevant ports get banned#[dovecot]enabled = falseport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = dovecotlogpath = /var/log/mail.logmaxretry = 3[sasl]enabled = trueport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = saslmaxretry = 2bantime = 36000[roundcube]enabled = trueport = http,httpsfilter = roundcubelogpath = /var/www/imscp/gui/public/tools/webmail/logs/errorsmaxretry = 6


    sasl.conf


    somebody has an idea? Thanks

  • I found the Problem. The servicenames are different.


    smtp,imap2,imap3,imaps,pop3,pop3s,submission,smtps


    These servicenames work perfectly.