fail2ban sasl-iptables

1 post / 0 new
#1 Thu, 04/02/2015 - 04:42
jancas

fail2ban sasl-iptables

Hi, I have fail2ban installed and it seems to be working, however when I check the log I notice the same IP failed logins over and over dispite being already blocked

Apr  2 00:13:53 server saslauthd[20681]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:13:58 server saslauthd[20680]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:02 server saslauthd[20679]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:03 server fail2ban.actions[11903]: WARNING [sasl-iptables] Ban 190.235.50.64
Apr  2 00:14:08 server saslauthd[20678]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:12 server saslauthd[20681]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:15 server saslauthd[20680]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:16 server fail2ban.actions[11903]: INFO [sasl-iptables] 190.235.50.64 already banned
Apr  2 00:14:19 server saslauthd[20679]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:24 server saslauthd[20678]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:36 server saslauthd[20681]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:14:37 server fail2ban.actions[11903]: INFO [sasl-iptables] 190.235.50.64 already banned
Apr  2 00:15:22 server saslauthd[20680]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:33 server saslauthd[20679]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:37 server saslauthd[20678]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:38 server fail2ban.actions[11903]: INFO [sasl-iptables] 190.235.50.64 already banned
Apr  2 00:17:42 server saslauthd[20681]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:45 server saslauthd[20680]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:50 server saslauthd[20681]: do_auth         : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Apr  2 00:17:52 server fail2ban.actions[11903]: INFO [sasl-iptables] 190.235.50.64 already banned

Today I had about 200 incidents of the same IP, is fali2ban really blocking or not?

Thanks.