-
Hi Overall my fail2ban and sendmail-auth works as expected. However, I have a problem with SOME of my users, they authenticate, can send the email and then are put in jail.
Below are the ones that show up when sending ONE email (I killed many lines that arent needed here):
If my users send one mail, then send another mail a few minutes later they are put in jail as I have "maxretry=5". I know I can set
but I also read that "ignoreregex" takes a performance hit. Now my questions: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
An how one would detect it? From your log excerpt it is not obvious, or else you removed such lines since "killed many lines that arent needed here". fail2ban/config/filter.d/sshd.conf Line 61 in 10cd815 Just you must also ensure to capture the user name (tag <F-USER> ) to avoid situation that a user with an account (able to authenticate) firstly trying to brute force another account of other users (see #2102 (comment) for details). If fail2ban sees different users in attempts it would not ignore/forget such failures.
Or better use more precise expression which would produce no match on those lines, e. g. like in mode extra/aggressive in sendmail-reject filter, for instance You would need to find differences by such messages from attempts of legitimate users and the bots, if there is no such difference it is impossible to use this RE without to consider false positives. Another way is to increase maxretry (and probably findtime ), but it could nevertheless generate a fails for legitimate users later, once they sends more mails.
|
Beta Was this translation helpful? Give feedback.
An how one would detect it? From your log excerpt it is not obvious, or else you removed such lines since "killed many lines that arent needed here".
Anyway there is indeed a way to do that, there are tags
<F-MLFFORGET>
and<F-MLFGAINED>
which allow to forget previous pending failures by multi-line parsing with<F-MLFID>
with same session ID, see an example in sshd-filter:fail2ban/config/filter.d/sshd.conf
Line 61 in 10cd815
Just you must also ensure to capture the user name (tag
<F-USER>
) to avoid…