Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail2ban 0.9.6 stopped working on CentoOS 6.8 after timezone update to tzdata2017c #1959

Closed
Fratotec opened this issue Nov 6, 2017 · 4 comments
Closed

fail2ban 0.9.6 stopped working on CentoOS 6.8 after timezone update to tzdata2017c #1959

Fratotec opened this issue Nov 6, 2017 · 4 comments

Comments

@Fratotec
Copy link

Fratotec commented Nov 6, 2017

I used fail2ban 0.9.4 until October 17 2017 without issues.
Coincidence or not, on October 17th I updated the tzdata to 2017b due to daylight savings time switch, and after this, fail2ban stopped working.
tzdata changed from the previous version the way the timezone is displayed ( now -02 instead of BRT / BRST ).
I rolled back to a 2016 version, without change.
Now I updated again to the last available for the rather old distro ( tzdata 2017c and fail2ban 0.9.6 now )

What happens is that no login attempts get detected anymore.
fail3ban-regex for Dovecot for example shows 3980 hits...:

fail2ban-regex  /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use         log file : /var/log/maillog
Use         encoding : UTF-8


Results
=======

Failregex: 3980 total
|-  #) [# of hits] regular expression
|   2) [3980] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [62806] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 62806 lines, 0 ignored, 3980 matched, 58826 missed
[processed in 16.08 sec]

and this is the output from the client:

 fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

no failed logins get detected.
I already tried the DEBUG option, but the output is really huge, not sure where to look at.
I also tried to force backends ( polling and gamin ) no change either.

Any clues ?
@sebres
Copy link
Contributor

sebres commented Nov 6, 2017

Please try verbose variant:

fail2ban-regex  -vvv /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Then you'll be able to see the date-time, fail2ban has really recognized.
If the timezone does not present in the log-line (please provide an excerpt), fail2ban assumes the system-time zone is used.
Normally your fail2ban should work in the same timezone as another services also.
But ATM you've not provided any examples...

Please see also #1804 (comment)

fail3ban-regex for Dovecot for example shows 3980 hits...:

Please note that fail2ban will ban only failures occurred maxretry times since now - findtime...

@Fratotec
Copy link
Author

Fratotec commented Nov 6, 2017

Ok, I extracted some fails from huge maillog...

Nov  6 13:07:25 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:07:42 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:07:59 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:08:16 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:08:33 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:08:50 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:09:07 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:09:24 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:09:42 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189
Nov  6 13:09:59 fwvmg dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<andrey>, method=PLAIN, rip=200.20.3.234, lip=177.159.104.189

and run the fail2ban-regex on that list...

fail2ban-regex -vvv /etc/fail2ban.bkp/authfail1.log /etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use         log file : /etc/fail2ban.bkp/authfail1.log
Use         encoding : UTF-8


Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [0] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pam_unix(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
|   2) [10] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
|      200.20.3.234  Mon Nov 06 13:07:25 2017
|      200.20.3.234  Mon Nov 06 13:07:42 2017
|      200.20.3.234  Mon Nov 06 13:07:59 2017
|      200.20.3.234  Mon Nov 06 13:08:16 2017
|      200.20.3.234  Mon Nov 06 13:08:33 2017
|      200.20.3.234  Mon Nov 06 13:08:50 2017
|      200.20.3.234  Mon Nov 06 13:09:07 2017
|      200.20.3.234  Mon Nov 06 13:09:24 2017
|      200.20.3.234  Mon Nov 06 13:09:42 2017
|      200.20.3.234  Mon Nov 06 13:09:59 2017
|   3) [0] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
|   4) [0] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
|   5) [0] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 10 lines, 0 ignored, 10 matched, 0 missed
[processed in 0.00 sec]

the find time is 5 mins.. and maxretry is 3 ... so is should have triggered..

 fail2ban-client -dvv
INFO   Loading configs for fail2ban under /etc/fail2ban
DEBUG  Reading configs for fail2ban under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/fail2ban.conf
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
INFO   Loading configs for jail under /etc/fail2ban
DEBUG  Reading configs for jail under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
INFO     Loading files: ['/etc/fail2ban/jail.conf']
INFO     Loading files: ['/etc/fail2ban/paths-fedora.conf']
INFO     Loading files: ['/etc/fail2ban/paths-common.conf']
INFO     Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO     Loading files: ['/etc/fail2ban/jail.local']
INFO     Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
INFO   Loading configs for filter.d/postfix under /etc/fail2ban
DEBUG  Reading configs for filter.d/postfix under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/filter.d/postfix.conf
INFO     Loading files: ['/etc/fail2ban/filter.d/postfix.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.local']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/postfix.conf']
INFO   Loading configs for action.d/iptables-multiport under /etc/fail2ban
DEBUG  Reading configs for action.d/iptables-multiport under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/action.d/iptables-multiport.conf
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-multiport.conf']
INFO   Loading configs for filter.d/dovecot under /etc/fail2ban
DEBUG  Reading configs for filter.d/dovecot under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/filter.d/dovecot.conf
INFO     Loading files: ['/etc/fail2ban/filter.d/dovecot.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/dovecot.conf']
INFO   Loading configs for filter.d/postfix-sasl under /etc/fail2ban
DEBUG  Reading configs for filter.d/postfix-sasl under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/filter.d/postfix-sasl.conf
INFO     Loading files: ['/etc/fail2ban/filter.d/postfix-sasl.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/postfix-sasl.conf']
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'postfix', 'auto']
['set', 'postfix', 'usedns', 'warn']
['set', 'postfix', 'addlogpath', '/var/log/maillog', 'head']
['set', 'postfix', 'maxretry', 3]
['set', 'postfix', 'addignoreip', '127.0.0.1/8']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'logencoding', 'auto']
['set', 'postfix', 'bantime', 3600]
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'findtime', 600]
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 .*$']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 Client host rejected: cannot find your hostname, (\\[\\S*\\]); from=<\\S*> to=<\\S+> proto=ESMTP helo=<\\S*>$']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: EHLO from \\S+\\[<HOST>\\]: 504 5\\.5\\.2 <\\S+>: Helo command rejected: need fully-qualified hostname;']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 .*$']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.1\\.8 <\\S*>: Sender address rejected: Domain not found; from=<\\S*> to=<\\S+> proto=ESMTP helo=<\\S*>$']
['set', 'postfix', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?improper command pipelining after \\S+ from [^[]*\\[<HOST>\\]:?$']
['set', 'postfix', 'addaction', 'iptables-multiport']
['set', 'postfix', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'postfix', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'postfix', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'postfix', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'postfix', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'postfix', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'postfix', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'postfix', 'action', 'iptables-multiport', 'lockingopt', '']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'postfix', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix', 'action', 'iptables-multiport', 'known/lockingopt', '']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'postfix', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/lockingopt', '']
['set', 'postfix', 'action', 'iptables-multiport', 'port', 'smtp,465,submission']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'postfix', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'postfix', 'action', 'iptables-multiport', 'bantime', '3600']
['set', 'postfix', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'postfix', 'action', 'iptables-multiport', 'known/__name__', 'Init']
['set', 'postfix', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'postfix', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/__name__', 'Init']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'postfix', 'action', 'iptables-multiport', 'name', 'postfix']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'postfix', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'postfix', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'postfix', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'dovecot', 'auto']
['set', 'dovecot', 'usedns', 'warn']
['set', 'dovecot', 'addlogpath', '/var/log/maillog', 'head']
['set', 'dovecot', 'maxretry', 3]
['set', 'dovecot', 'addignoreip', '127.0.0.1/8']
['set', 'dovecot', 'addignoreip', '192.168.0.0/16']
['set', 'dovecot', 'logencoding', 'auto']
['set', 'dovecot', 'bantime', 3600]
['set', 'dovecot', 'ignorecommand', '']
['set', 'dovecot', 'findtime', 600]
['set', 'dovecot', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:pam_unix(?:\\(dovecot:auth\\))?:)?\\s+authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=dovecot ruser=\\S* rhost=<HOST>(?:\\s+user=\\S*)?\\s*$']
['set', 'dovecot', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \\(]+)+)? \\((?:auth failed, \\d+ attempts( in \\d+ secs)?|tried to use (disabled|disallowed) \\S+ auth)\\):( user=<[^>]+>,)?( method=\\S+,)? rip=<HOST>(?:, lip=\\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\\(\\) failed: error:[\\dA-F]+:SSL routines:[TLS\\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\\S+>)?\\s*$']
['set', 'dovecot', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:Info|dovecot: auth\\(default\\)|auth-worker\\(\\d+\\)): pam\\(\\S+,<HOST>\\): pam_authenticate\\(\\) failed: (User not known to the underlying authentication module: \\d+ Time\\(s\\)|Authentication failure \\(password mismatch\\?\\))\\s*$']
['set', 'dovecot', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:auth|auth-worker\\(\\d+\\)): (?:pam|passwd-file)\\(\\S+,<HOST>\\): unknown user\\s*$']
['set', 'dovecot', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:auth|auth-worker\\(\\d+\\)): Info: ldap\\(\\S*,<HOST>,\\S*\\): invalid credentials\\s*$']
['set', 'dovecot', 'addaction', 'iptables-multiport']
['set', 'dovecot', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'dovecot', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'dovecot', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'dovecot', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'dovecot', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'dovecot', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'dovecot', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'dovecot', 'action', 'iptables-multiport', 'lockingopt', '']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'dovecot', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/lockingopt', '']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/lockingopt', '']
['set', 'dovecot', 'action', 'iptables-multiport', 'port', 'pop3,pop3s,imap,imaps,submission,465,sieve']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'dovecot', 'action', 'iptables-multiport', 'bantime', '3600']
['set', 'dovecot', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/__name__', 'Init']
['set', 'dovecot', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/__name__', 'Init']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'dovecot', 'action', 'iptables-multiport', 'name', 'dovecot']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'dovecot', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/maillog', 'head']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl', 'logencoding', 'auto']
['set', 'postfix-sasl', 'bantime', 3600]
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'addignoreregex', 'authentication failed: Connection lost to authentication server$']
['set', 'postfix-sasl', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?warning: [-._\\w]+\\[<HOST>\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'lockingopt', '']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/lockingopt', '']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/lockingopt', '']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'port', 'smtp,465,submission,imap3,imaps,pop3,pop3s']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'bantime', '3600']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/__name__', 'Init']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/__name__', 'Init']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'name', 'postfix-sasl']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['start', 'postfix']
['start', 'dovecot']
['start', 'postfix-sasl']

but the #1804 brought me to something:
my Debug output looks like this..

2017-11-06 **14:52:51,**149 fail2ban.datedetector [10477]: DEBUG Got time 1509983571.000000 for "u'Nov 6 13:52:51'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?

so the de time of the fail2ban log and the detected time really differ in 1 hour.
This is a simple physical server, no VM no Docker.
the "date" command shows
Mon Nov 6 15:11:41 -02 2017
We are in Brazil/Eastern Daylight savings time.... so GMT-2 is correct.
Before the DST update in October, the date showed as "Mon Nov 6 15:11:41 BRT 2017" ...
But actually, dovecot and fail2ban run at the same timezone.

@Fratotec
Copy link
Author

Fratotec commented Nov 6, 2017

Problem solved !!
it was rsyslog.
It wasn´t restarted after the DST switch, and was logging standard time still...
After restarting rsyslog:

Nov  6 14:22:22 fwvmg kernel: Kernel logging (proc) stopped.
Nov  6 14:22:22 fwvmg rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1532" x-info="http://www.rsyslog.com"] exiting on signal 15.
Nov  6 15:22:22 fwvmg kernel: imklog 4.6.2, log source = /proc/kmsg started.
Nov  6 15:22:22 fwvmg rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="14849" x-info="http://www.rsyslog.com"] (re)start

the logs are now on the correct hour...
and Fail2ban picked up immediately ...

2017-11-06 15:19:34,638 fail2ban.jail           [14483]: INFO    Jail 'dovecot' started
2017-11-06 15:19:34,642 fail2ban.jail           [14483]: INFO    Jail 'postfix-sasl' started
2017-11-06 15:22:30,101 fail2ban.filter         [14483]: INFO    [postfix-sasl] Found 177.43.213.86
2017-11-06 15:23:09,409 fail2ban.filter         [14483]: INFO    [postfix-sasl] Found 191.96.249.70
2017-11-06 15:23:10,409 fail2ban.filter         [14483]: INFO    [postfix-sasl] Found 190.145.154.149
2017-11-06 15:23:29,018 fail2ban.filter         [14483]: INFO    [postfix-sasl] Found 191.96.249.63
2017-11-06 15:23:49,101 fail2ban.filter         [14483]: INFO    [postfix-sasl] Found 191.96.249.63

@sebres
Copy link
Contributor

sebres commented Nov 6, 2017

Glad you've found it. Thus let close the issue...

@sebres sebres closed this as completed Nov 6, 2017
@sebres sebres mentioned this issue Apr 17, 2018
Closed
3 tasks
@sebres sebres mentioned this issue Jun 6, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @Fratotec