Fail2Ban

Lines like this is filling up the log

2020-02-16 07:11:05,633 fail2ban.filtersystemd  [836]: HEAVY   [dovecot] Read systemd journal entry: 2020-02-16T07:11:05.632004 servertwo dovecot[2110]: pop3-login: Login: user=, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, mpid=1247, session=
2020-02-16 07:11:05,633 fail2ban.filter         [836]: HEAVY   Looking for match of [('', '2020-02-16T07:11:05.632004', 'servertwo dovecot[2110]: pop3-login: Login: user=, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, mpid=1247, session=')]
2020-02-16 07:11:05,634 fail2ban.filter         [836]: HEAVY     Looking for prefregex '^\\s*(?:\\S+\\s+)?(?:\\S*(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\\([^\\)]+\\))?: )?(?:pam_unix(?:\\(dovecot:auth\\))?: |(?:pop3|imap)-login: )?(?:Info: )?(?P.+)$'
2020-02-16 07:11:05,634 fail2ban.filter         [836]: TRACE     Pre-filter matched {'content': 'Login: user=, method=PLAIN, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, mpid=1247, session='}
2020-02-16 07:11:05,634 fail2ban.filter         [836]: HEAVY     Looking for failregex 0 - '^authentication failure; logname=(?P\\S*) uid=\\S* euid=\\S* tty=dovecot ruser=(?P\\S*) rhost=(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:\\s+user=(?P\\S*))?\\s*$'
2020-02-16 07:11:05,634 fail2ban.filter         [836]: HEAVY     Looking for failregex 1 - '^(?:Aborted login|Disconnected)(?::(?: [^ \\(]+)+)? \\((?:auth failed, \\d+ attempts(?: in \\d+ secs)?|tried to use (?:disabled|disallowed) \\S+ auth|proxy dest auth failed)\\):(?: user=[^>]*)>,)?(?: method=\\S+,)? rip=(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:[^>]*(?:, session=)?)\\s*$'
2020-02-16 07:11:05,634 fail2ban.filter         [836]: HEAVY     Looking for failregex 2 - '^pam\\(\\S+,(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:,\\S*)?\\): pam_authenticate\\(\\) failed: (?:User not known to the underlying authentication module: \\d+ Time\\(s\\)|Authentication failure \\(password mismatch\\?\\)|Permission denied)\\s*$'
2020-02-16 07:11:05,634 fail2ban.filter         [836]: HEAVY     Looking for failregex 3 - '^[a-z\\-]{3,15}\\(\\S*,(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:,\\S*)?\\): (?:unknown user|invalid credentials|Password mismatch)\\s*$'
2020-02-16 07:11:05,769 fail2ban.filtersystemd  [836]: HEAVY   [dovecot] Read systemd journal entry: 2020-02-16T07:11:05.767861 servertwo dovecot[2110]: pop3(XXXXXXXX): Disconnected: Logged out top=0/0, retr=0/0, del=0/156, size=4501601
2020-02-16 07:11:05,769 fail2ban.filter         [836]: HEAVY   Looking for match of [('', '2020-02-16T07:11:05.767861', 'servertwo dovecot[2110]: pop3(XXXXXXXX): Disconnected: Logged out top=0/0, retr=0/0, del=0/156, size=4501601')]
2020-02-16 07:11:05,770 fail2ban.filter         [836]: HEAVY     Looking for prefregex '^\\s*(?:\\S+\\s+)?(?:\\S*(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\\([^\\)]+\\))?: )?(?:pam_unix(?:\\(dovecot:auth\\))?: |(?:pop3|imap)-login: )?(?:Info: )?(?P.+)$'
2020-02-16 07:11:05,770 fail2ban.filter         [836]: TRACE     Pre-filter matched {'content': 'pop3(XXXXXXXX): Disconnected: Logged out top=0/0, retr=0/0, del=0/156, size=4501601'}
2020-02-16 07:11:05,770 fail2ban.filter         [836]: HEAVY     Looking for failregex 0 - '^authentication failure; logname=(?P\\S*) uid=\\S* euid=\\S* tty=dovecot ruser=(?P\\S*) rhost=(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:\\s+user=(?P\\S*))?\\s*$'
2020-02-16 07:11:05,770 fail2ban.filter         [836]: HEAVY     Looking for failregex 1 - '^(?:Aborted login|Disconnected)(?::(?: [^ \\(]+)+)? \\((?:auth failed, \\d+ attempts(?: in \\d+ secs)?|tried to use (?:disabled|disallowed) \\S+ auth|proxy dest auth failed)\\):(?: user=[^>]*)>,)?(?: method=\\S+,)? rip=(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:[^>]*(?:, session=)?)\\s*$'
2020-02-16 07:11:05,770 fail2ban.filter         [836]: HEAVY     Looking for failregex 2 - '^pam\\(\\S+,(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:,\\S*)?\\): pam_authenticate\\(\\) failed: (?:User not known to the underlying authentication module: \\d+ Time\\(s\\)|Authentication failure \\(password mismatch\\?\\)|Permission denied)\\s*$'
2020-02-16 07:11:05,771 fail2ban.filter         [836]: HEAVY     Looking for failregex 3 - '^[a-z\\-]{3,15}\\(\\S*,(?:\\[?(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?[\\w\\-.^_]*\\w))(?:,\\S*)?\\): (?:unknown user|invalid credentials|Password mismatch)\\s*$'

And before the Fail2Ban restart it look like this

2020-02-01 23:51:12,749 fail2ban.actions        [31074]: WARNING [postfix-sasl] 175.6.133.182 already banned
2020-02-01 23:55:36,843 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 193.56.29.10 - 2020-02-01 23:55:36
2020-02-01 23:56:12,080 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 193.56.29.10 - 2020-02-01 23:56:12
2020-02-01 23:56:51,608 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 193.56.28.68 - 2020-02-01 23:56:51
2020-02-01 23:56:52,930 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 193.56.29.10 - 2020-02-01 23:56:52
2020-02-01 23:57:07,094 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 193.56.28.68 - 2020-02-01 23:57:07
2020-02-02 00:01:13,480 fail2ban.actions        [31074]: NOTICE  [postfix-sasl] Unban 175.6.133.182
2020-02-02 00:03:42,408 fail2ban.filter         [31074]: INFO    [postfix-sasl] Found 80.66.81.143 - 2020-02-02 00:03:42

In a week long log I had around 8000 lines before the restart. And now I get like 29000 lines in 15 minutes!

//Leffe

Yes i'm the only one managing the server!

I have not made any changes at all to Fail2Ban, just did a restart and this happened. It was when I started to look for a reason for this I noticed that the new 00-firewalld.conf was written and many files/folders had the same date.

I can't do a diff since I dont have a backup to check, our backups run twice a day with R1Softs Server backup in the data center.

And as I said, I have not changed anything... I have run Fail2Ban "out of the box", and have not added, edited or removed any rules what so ever. The only thing I changed from start was using Iptables instead of Firewalld.

//Leffe

Regarding the other issue when making changes in network that also affected Postfix probably also affects other things! This dedicated server was set up almost a year ago but has had so many strange issues that we still hasn't dared to move our customers here yet... Our own domain is the only one at the moment! And the server was also totally reinstalled after the exploit just to make sure it wasn't affected, and I also hoped the new install would get rid of all the issues with network, Postfix and other stuff... but they all came back again.

I actually have a zip I made yestarday, should I upload it here or mail it to you?

//Leffe

Can i upload a zip here? it say only txt jpg png gif.

It worked...

There are mort issues with this Fail2Ban, also some Filter Action Jails are missing settings, like ssh-ddos

Hi Ilia,

Yes the 00-firawalld.conf was "deleted"(moved) from the beginning, but I moved it back for testing, and then renamed it.

I know the banaction = is not needed, also put there during testing and I thought it would do no harm.

Are you sure yum remove fail2ban-firewalld doesn't remove other needed files as dependencies?

How can updates do this kind of changes... I doesn't feel safe to do updates any more!

//Leffe

Forgot to answer this,

Does it mean that what you have sent is not actual configuration?

Yes it's the actual config from the server, I downloaded the folder for a compare but I realized that my other servers did not have fal2ban installed.

Removed the file and removed fail2ban-firewalld and started fail2ban and the logs fill up in the same way as in post #2

I'll reboot the server and try starting fail2ban again.

Have restarted the server and have started fail2ban, and it is still the same...

Can I remove fail2ban totally and reinstall it and get a default working config?

I did start fail2ban on our local testserver and that runs perfectly just renamed the 00-firewalld.conf and started it. This version is 0.9.7

And another thing, with the version on our live server no fail2ban log gets added in Server logs. With the old version it adds it automatically.

I'll try removing the BlockTime, end the other is already removed.

It didn't help, still the same filled up logfile, and no logfile in System Logs!

The fail2ban log WAS in "System/System Logs" until I restarted fail2ban.

Is it possible to get the 0.9.7 version or the latest workin verison back because this 0.10.5 version don't seems to work!

When I check yum list fail2ban it say there is a available package, it doesn't say it is installed!??

Shall I install fail2ban???

What packages shall I install?

ServerOne don't run fail2ban, it isn't installed on that server since it wasn't by default earlier.

And I don't want to try on that server since most of our customers is on that one. ServerTwo is our new were customers from ServerOne should been transferred long time ago, but since the new ServerTwo has so many issues I haven't dared to move customers there...

And.... Thanks Ilia for all your time trying to help me out here!!!

Ilia,

It has probably something to do with some of these updates

And I DO think this is related to Virtualmin since Virtualmin has a application for controlling and managing Fail2Ban and I think Virtualmin has to keep functions in working state after a update. I have not changed anything, the only thing I did was restart fail2ban and probably "activated" the updated fail2ban.

If Virtualmin no longer will support for example fail2ban I think we has to be informed about that in a very clear way, maybe a message in control panel. I don't know what would happened if wasn't around when fail2ban had restarted! In this case I did see the problems right away and could stop fail2ban. Just doing the testings for really short time periods did sum up to BIIIIG logwatch file for the last 24 hours, the mail size was 61MB and it contained almost 238000 rows of fail2ban log data!

But enough of that... do you think we can get this running or should I just drop fail2ban totally?

Best regards, Leffe

Of course... but there is no a email from you!

I still haven't got any email, and I now has to go to a business meeting in a few minutes. If you have mailed me let me know, otherwise we have to take this a up again later today. If you have mailed me, what IP are you sending from?

You can also mark this thread as Private if you want!

oh... sorry, I thought you were talking about a email regarding logging in on our server to take a look!

I misunderstood you - Sorry!

I have answered in the other, private issue/post. And it's okay to close this issue.

Regards, Leffe