Q&A#fail2banで検知できているのにrecidiveに入らないIP(89.248.168.2)があります。既に1日以上経過。recidiveそのものは動作していまして、いくつか捉えているIPもあります。
log
12020-07-26 22:37:36,534 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 22:37:36 22020-07-26 22:53:50,664 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 22:53:50 32020-07-26 23:10:01,576 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 23:10:01 42020-07-26 23:26:10,205 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 23:26:10 52020-07-26 23:42:17,519 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 23:42:17 62020-07-26 23:58:29,876 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-26 23:58:29 72020-07-27 00:14:39,195 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 00:14:39 82020-07-27 00:30:51,633 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 00:30:51 92020-07-27 00:46:59,748 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 00:46:59 102020-07-27 01:03:09,127 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 01:03:08 112020-07-27 01:19:19,628 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 01:19:19 122020-07-27 01:35:31,486 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 01:35:31 132020-07-27 01:51:44,253 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 01:51:44 142020-07-27 02:07:53,171 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 02:07:53 152020-07-27 02:23:59,926 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 02:23:59 162020-07-27 02:40:11,943 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 02:40:11 172020-07-27 02:51:35,750 fail2ban.filter [18021]: INFO [postfix-sasl] Found 180.101.145.234 - 2020-07-27 02:51:35 182020-07-27 02:51:36,058 fail2ban.filter [18021]: INFO [postfix-sasl] Found 180.101.145.234 - 2020-07-27 02:51:36 192020-07-27 02:51:36,647 fail2ban.filter [18021]: INFO [postfix-sasl] Found 180.101.145.234 - 2020-07-27 02:51:36 202020-07-27 02:51:36,956 fail2ban.filter [18021]: INFO [postfix-sasl] Found 180.101.145.234 - 2020-07-27 02:51:36 212020-07-27 02:51:37,265 fail2ban.filter [18021]: INFO [postfix-sasl] Found 180.101.145.234 - 2020-07-27 02:51:37 222020-07-27 02:51:37,678 fail2ban.actions [18021]: NOTICE [postfix-sasl] Ban 180.101.145.234 232020-07-27 02:51:37,882 fail2ban.filter [18021]: INFO [recidive] Found 180.101.145.234 - 2020-07-27 02:51:37 242020-07-27 02:56:20,422 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 02:56:20 252020-07-27 03:01:38,423 fail2ban.actions [18021]: NOTICE [postfix-sasl] Unban 180.101.145.234 262020-07-27 03:12:31,647 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 03:12:31 272020-07-27 03:28:53,189 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 03:28:53 282020-07-27 03:45:12,728 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 03:45:12 292020-07-27 04:01:21,904 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 04:01:21 302020-07-27 04:17:30,440 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 04:17:30 312020-07-27 04:33:44,101 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 04:33:43 322020-07-27 04:50:01,513 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 04:50:01 332020-07-27 05:06:12,636 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 05:06:12 342020-07-27 05:22:15,379 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 05:22:15 352020-07-27 05:38:18,363 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 05:38:18 362020-07-27 05:54:26,538 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 05:54:26 372020-07-27 06:10:59,837 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 06:10:59 382020-07-27 06:27:17,753 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 06:27:17 392020-07-27 06:43:30,593 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 06:43:30 402020-07-27 06:59:46,677 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 06:59:46 412020-07-27 07:16:00,730 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 07:16:00 422020-07-27 07:32:15,935 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 07:32:15 432020-07-27 07:48:37,345 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 07:48:37 442020-07-27 08:04:53,272 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 08:04:53 452020-07-27 08:21:06,329 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 08:21:06 462020-07-27 08:37:19,442 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 08:37:19 472020-07-27 08:53:24,176 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 08:53:24 482020-07-27 08:56:46,222 fail2ban.filter [18021]: INFO [sshd] Found 60.32.124.8 - 2020-07-27 08:56:46 492020-07-27 08:56:46,511 fail2ban.filter [18021]: INFO [ssh-iptables] Found 60.32.124.8 - 2020-07-27 08:56:46 502020-07-27 09:09:34,781 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 09:09:34 512020-07-27 09:25:47,932 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 09:25:47 522020-07-27 09:42:06,476 fail2ban.filter [18021]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-27 09:42:06 53
# Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d maxretry = 5
status
1[root@ik1-337-28583 var]# fail2ban-client status postfix-sasl 2Status for the jail: postfix-sasl 3|- Filter 4| |- Currently failed: 1 5| |- Total failed: 1133 6| `- Journal matches: _SYSTEMD_UNIT=postfix.service 7`- Actions 8 |- Currently banned: 0 9 |- Total banned: 101 10 `- Banned IP list: 11 12 13[root@ik1-337-28583 var]# fail2ban-client status recidive 14Status for the jail: recidive 15|- Filter 16| |- Currently failed: 1 17| |- Total failed: 91 18| `- File list: /var/log/fail2ban.log 19`- Actions 20 |- Currently banned: 5 21 |- Total banned: 17 22 `- Banned IP list: 212.70.149.3 185.143.73.152 142.11.205.237 185.143.73.250 185.143.73.119 23[root@ik1-337-28583 var]#
回答1件
0
自己解決
fail2banを立ち上げなおしてログを確認したところ、全てbantime,findtimeが600になっており、.localのDEFAULTのbantimeやfindtimeは見てくれないという事でした。なので15分置きにくる89.248.168.2が検知されないという事でした。なのでpostfix-saslの項目にbantime, findtimeを改めて設定すると検知しrecidiveにも登録されました。
log
12020-07-28 10:05:33,744 fail2ban.filtersystemd [8983]: INFO [sshd] Removed journal match for: '*' 22020-07-28 10:05:33,744 fail2ban.filtersystemd [8983]: INFO [postfix-sasl] Removed journal match for: '*' 32020-07-28 10:05:33,744 fail2ban.filtersystemd [8983]: INFO [proftpd] Removed journal match for: '*' 42020-07-28 10:05:33,744 fail2ban.filtersystemd [8983]: INFO [postfix] Removed journal match for: '*' 52020-07-28 10:05:33,744 fail2ban.filtersystemd [8983]: INFO [dovecot] Removed journal match for: '*' 62020-07-28 10:05:33,744 fail2ban.server [8983]: INFO Reload jail 'sshd' 72020-07-28 10:05:33,745 fail2ban.filter [8983]: INFO maxLines: 1 82020-07-28 10:05:33,745 fail2ban.filtersystemd [8983]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' 92020-07-28 10:05:33,745 fail2ban.filter [8983]: INFO maxRetry: 5 102020-07-28 10:05:33,745 fail2ban.filter [8983]: INFO encoding: UTF-8 112020-07-28 10:05:33,746 fail2ban.actions [8983]: INFO banTime: 600 122020-07-28 10:05:33,746 fail2ban.filter [8983]: INFO findtime: 600 132020-07-28 10:05:33,746 fail2ban.server [8983]: INFO Reload jail 'proftpd' 142020-07-28 10:05:33,746 fail2ban.filtersystemd [8983]: INFO [proftpd] Added journal match for: '_SYSTEMD_UNIT=proftpd.service' 152020-07-28 10:05:33,746 fail2ban.filter [8983]: INFO maxRetry: 5 162020-07-28 10:05:33,746 fail2ban.filter [8983]: INFO encoding: UTF-8 172020-07-28 10:05:33,746 fail2ban.actions [8983]: INFO banTime: 600 182020-07-28 10:05:33,746 fail2ban.filter [8983]: INFO findtime: 600 192020-07-28 10:05:33,747 fail2ban.server [8983]: INFO Reload jail 'postfix' 202020-07-28 10:05:33,747 fail2ban.filtersystemd [8983]: INFO [postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service' 212020-07-28 10:05:33,747 fail2ban.filter [8983]: INFO maxRetry: 5 222020-07-28 10:05:33,747 fail2ban.filter [8983]: INFO encoding: UTF-8 232020-07-28 10:05:33,747 fail2ban.actions [8983]: INFO banTime: 600 242020-07-28 10:05:33,747 fail2ban.filter [8983]: INFO findtime: 600 252020-07-28 10:05:33,747 fail2ban.server [8983]: INFO Reload jail 'dovecot' 262020-07-28 10:05:33,748 fail2ban.datedetector [8983]: INFO date pattern `''`: `{^LN-BEG}TAI64N` 272020-07-28 10:05:33,748 fail2ban.filtersystemd [8983]: INFO [dovecot] Added journal match for: '_SYSTEMD_UNIT=dovecot.service' 282020-07-28 10:05:33,748 fail2ban.filter [8983]: INFO maxRetry: 5 292020-07-28 10:05:33,748 fail2ban.filter [8983]: INFO encoding: UTF-8 302020-07-28 10:05:33,748 fail2ban.actions [8983]: INFO banTime: 600 312020-07-28 10:05:33,748 fail2ban.filter [8983]: INFO findtime: 600 322020-07-28 10:05:33,748 fail2ban.server [8983]: INFO Reload jail 'postfix-sasl' 332020-07-28 10:05:33,748 fail2ban.filtersystemd [8983]: INFO [postfix-sasl] Added journal match for: '_SYSTEMD_UNIT=postfix.service' 342020-07-28 10:05:33,749 fail2ban.filter [8983]: INFO maxRetry: 3 352020-07-28 10:05:33,749 fail2ban.filter [8983]: INFO encoding: UTF-8 362020-07-28 10:05:33,749 fail2ban.actions [8983]: INFO banTime: 7200 372020-07-28 10:05:33,749 fail2ban.filter [8983]: INFO findtime: 3600 382020-07-28 10:05:33,749 fail2ban.server [8983]: INFO Reload jail 'recidive' 392020-07-28 10:05:33,749 fail2ban.filter [8983]: INFO maxRetry: 5 402020-07-28 10:05:33,749 fail2ban.filter [8983]: INFO encoding: UTF-8 412020-07-28 10:05:33,749 fail2ban.actions [8983]: INFO banTime: 604800 422020-07-28 10:05:33,750 fail2ban.filter [8983]: INFO findtime: 86400 432020-07-28 10:05:33,750 fail2ban.server [8983]: INFO Reload jail 'ssh-iptables' 442020-07-28 10:05:33,750 fail2ban.filter [8983]: INFO maxLines: 1 452020-07-28 10:05:33,750 fail2ban.filter [8983]: INFO maxRetry: 5 462020-07-28 10:05:33,751 fail2ban.filter [8983]: INFO encoding: UTF-8 472020-07-28 10:05:33,751 fail2ban.actions [8983]: INFO banTime: 600 482020-07-28 10:05:33,751 fail2ban.filter [8983]: INFO findtime: 600 492020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'sshd' reloaded 502020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'proftpd' reloaded 512020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'postfix' reloaded 522020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'dovecot' reloaded 532020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'postfix-sasl' reloaded 542020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'recidive' reloaded 552020-07-28 10:05:33,751 fail2ban.server [8983]: INFO Jail 'ssh-iptables' reloaded 562020-07-28 10:05:33,752 fail2ban.server [8983]: INFO Reload finished. 572020-07-28 10:15:26,017 fail2ban.filter [8983]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-28 10:15:25 582020-07-28 10:31:32,460 fail2ban.filter [8983]: INFO [postfix-sasl] Found 89.248.168.2 - 2020-07-28 10:31:32 592020-07-28 10:31:32,829 fail2ban.actions [8983]: NOTICE [postfix-sasl] Ban 89.248.168.2 602020-07-28 10:31:32,830 fail2ban.filter [8983]: INFO [recidive] Found 89.248.168.2 - 2020-07-28 10:31:32 61
jail.local
1[postfix-sasl] 2 3enabled = true 4filter = postfix-sasl 5action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp] 6port = smtp,465,submission,imap,imaps,pop3,pop3s 7logpath = %(postfix_log)s 8backend = %(postfix_backend)s 9bantime = 7200 10findtime = 3600 11maxretry = 3 12
投稿2020/07/29 00:17
総合スコア34
あなたの回答
tips
プレビュー
バッドをするには、ログインかつ
こちらの条件を満たす必要があります。