Koozali.org: home of the SME Server

fail2ban jail

Offline Mace

  • **
  • 65
  • +0/-0
fail2ban jail
« on: September 11, 2021, 07:30:43 PM »
Is it intended behavior for fail2ban to release all inmates on reboot? Seems my list of jailed IPs in the fail2ban server-manager section is empty after every reconfigure & reboot. Or could it be that the jailed list doesn't show in its server-manager panel after a reboot until another IP is jailed?

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: fail2ban jail
« Reply #1 on: September 11, 2021, 10:18:25 PM »
Do not have a definitive answer, suspect it is by design.

Fail2ban docs do talk about persistence and the conf settings for same, thats it.
--
qui scribit bis legit

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: fail2ban jail
« Reply #2 on: September 12, 2021, 12:38:46 AM »
and just found a bug in smeserver-fail2ban where service fails on a reboot, look for update shortly
--
qui scribit bis legit

Offline Mace

  • **
  • 65
  • +0/-0
Re: fail2ban jail
« Reply #3 on: September 12, 2021, 05:12:54 AM »
and just found a bug in smeserver-fail2ban where service fails on a reboot, look for update shortly

Thanks for checking. :)

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: fail2ban jail
« Reply #4 on: September 12, 2021, 06:03:06 AM »
See Bugs 11586 and 11636

rpm has been patched and updated, however when a full # signal-event post-upgrade; signal-event reboot  is issued service fails to start

issue a ]# systemctl restart fail2ban back up again

and if a straight # reboot is issued its all good, some digging needed
--
qui scribit bis legit

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: fail2ban jail
« Reply #5 on: September 12, 2021, 06:19:25 AM »
OK, its a known issue going back many years to do with old logrotate esmith script pre logrotate.d its all about the timing, so more the mote in the eye and needs some delicate surgery, in the meantime just beaware of the behaviour
--
qui scribit bis legit

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: fail2ban jail
« Reply #6 on: September 12, 2021, 09:34:15 AM »
I'm having trouble reaching bugzilla so I'll put this here and update bugzilla when  I can get into it again.

I'm not sure that fail2ban is working to ban an IP properly. Attached log snippets below. Specifically for IP 23.227.203.129
in this example.

It gets detected by fail2ban after 9 attempts, then logs it as banned at 13:50:43 and then unbans it at 14:51:05
Both fail2ban and messages log confirm this.

However sqsmtpd shows the initial attempts prior to 13:50 but also two failed connections at 14:07, whilst it should be banned.
[edit] log now denylog.log rather than current

Unfortunately there doesn't seem to be any log updates for iptables (there was on sme9.2) to show what changes (if any) were done to iptables.

No entry in the denylog for 23.227.203.129 at 14:07



/var/log/fail2ban

2021-09-12 13:33:02,321 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 177.87.68.195 - 2021-09-12 13:33:12
2021-09-12 13:49:31,621 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:49:41
2021-09-12 13:49:32,227 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:49:42
2021-09-12 13:49:52,460 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:02
2021-09-12 13:49:52,869 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:02
2021-09-12 13:50:13,511 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:23
2021-09-12 13:50:13,715 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:23
2021-09-12 13:50:34,152 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:43
2021-09-12 13:50:34,558 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:50:44
2021-09-12 13:50:54,798 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:51:04
2021-09-12 13:50:54,970 fail2ban.actions        [769]: NOTICE  [qpsmtpd] Ban 23.227.203.129
2021-09-12 13:50:54,975 fail2ban.filter         [769]: INFO    [recidive] Found 23.227.203.129 - 2021-09-12 13:50:54
2021-09-12 13:50:55,406 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 13:51:05
2021-09-12 13:51:04,644 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 161.35.22.8 - 2021-09-12 13:51:14
2021-09-12 13:51:25,512 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 157.230.127.86 - 2021-09-12 13:51:35
2021-09-12 14:05:12,633 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 142.54.174.178 - 2021-09-12 14:05:22
2021-09-12 14:05:12,639 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 142.54.174.178 - 2021-09-12 14:05:22
2021-09-12 14:07:13,258 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 14:07:22
2021-09-12 14:07:13,260 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 23.227.203.129 - 2021-09-12 14:07:22

2021-09-12 14:13:57,626 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 177.53.164.179 - 2021-09-12 14:14:07
2021-09-12 14:30:49,564 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 188.166.18.165 - 2021-09-12 14:30:59
2021-09-12 14:47:27,240 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 161.35.22.8 - 2021-09-12 14:47:37
2021-09-12 14:48:43,986 fail2ban.filter         [769]: INFO    [qpsmtpd] Found 157.230.127.86 - 2021-09-12 14:48:53
2021-09-12 14:51:05,642 fail2ban.actions        [769]: NOTICE  [qpsmtpd] Unban 23.227.203.129

/var/log/messages

Sep 12 10:21:20 fwbox kernel: [266336.580720] md: md11: data-check done.
Sep 12 13:50:55 fwbox /sbin/e-smith/smeserver-fail2ban[29369]: /home/e-smith/db/fail2ban: OLD bkiv8zmtstnio15=(undefined)
Sep 12 13:50:55 fwbox /sbin/e-smith/smeserver-fail2ban[29369]: /home/e-smith/db/fail2ban: NEW bkiv8zmtstnio15=ban|BanTimestamp|1631425855|Host|23.227.203.129|Port|25,465|Protocol|tcp|UnbanTimestamp|1631429455
Sep 12 13:50:55 fwbox esmith::event[29370]: Processing event: fail2ban-update
Sep 12 13:50:55 fwbox esmith::event[29370]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Sep 12 13:50:55 fwbox esmith::event[29370]: expanding /etc/rc.d/init.d/masq
Sep 12 13:50:56 fwbox esmith::event[29370]: generic_template_expand=action|Event|fail2ban-update|Action|generic_template_expand|Start|1631425855 425199|End|1631425856 582912|Elapsed|1.157713
Sep 12 13:50:56 fwbox esmith::event[29370]: Running event handler: /etc/e-smith/events/actions/adjust-services
Sep 12 13:50:56 fwbox esmith::event[29370]: adjusting non-supervised masq (start)
Sep 12 13:50:56 fwbox esmith::event[29370]: adjusting non-supervised masq (adjust)
Sep 12 13:50:58 fwbox esmith::event[29370]: adjust-services=action|Event|fail2ban-update|Action|adjust-services|Start|1631425856 583348|End|1631425858 690446|Elapsed|2.107098
Sep 12 14:51:05 fwbox /sbin/e-smith/smeserver-fail2ban[1652]: /home/e-smith/db/fail2ban: DELETE bkiv8zmtstnio15=ban|BanTimestamp|1631425855|Host|23.227.203.129|Port|25,465|Protocol|tcp|UnbanTimestamp|1631429455
Sep 12 14:51:06 fwbox esmith::event[1654]: Processing event: fail2ban-update
Sep 12 14:51:06 fwbox esmith::event[1654]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Sep 12 14:51:06 fwbox esmith::event[1654]: expanding /etc/rc.d/init.d/masq
Sep 12 14:51:06 fwbox esmith::event[1654]: generic_template_expand=action|Event|fail2ban-update|Action|generic_template_expand|Start|1631429466 53193|End|1631429466 596901|Elapsed|0.543708
Sep 12 14:51:06 fwbox esmith::event[1654]: Running event handler: /etc/e-smith/events/actions/adjust-services
Sep 12 14:51:06 fwbox esmith::event[1654]: adjusting non-supervised masq (start)
Sep 12 14:51:06 fwbox esmith::event[1654]: adjusting non-supervised masq (adjust)
Sep 12 14:51:07 fwbox esmith::event[1654]: adjust-services=action|Event|fail2ban-update|Action|adjust-services|Start|1631429466 597340|End|1631429467 733837|Elapsed|1.136497

/var/log/sqpsmtpd

2021-09-12 14:07:12.885886500 29368 (connect) tls: fail, unable to establish SSL
2021-09-12 14:07:12.885889500 29373 (connect) tls: fail, unable to establish SSL
2021-09-12 14:07:12.885891500 29368 (deny) logging::logterse: ` 23.227.203.129   23-227-203-129.static.hvvc.us            tls   903   Cannot establish SSL session   msg denied before queued
2021-09-12 14:07:12.885894500 29373 (deny) logging::logterse: ` 23.227.203.129   23-227-203-129.static.hvvc.us            tls   903   Cannot establish SSL session   msg denied before queued

2021-09-12 14:07:12.885897500 29368 Lost connection to client, cannot send response.
2021-09-12 14:07:12.885940500 29373 Lost connection to client, cannot send response.
2021-09-12 14:07:12.885942500 29368 click, disconnecting
2021-09-12 14:07:12.885942500 29373 click, disconnecting
2021-09-12 14:07:13.000863500 1951 cleaning up after 29368
2021-09-12 14:07:13.000920500 1951 cleaning up after 29373

« Last Edit: September 12, 2021, 09:46:08 AM by sages »
...

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: fail2ban jail
« Reply #7 on: September 12, 2021, 09:52:41 AM »
/var/log/denylog shows denied connections after the ban but nothing around the 14:07 time

Sep 12 13:51:15 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29023 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:15 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=103 ID=29024 DF PROTO=TCP SPT=61260 DPT=465 SEQ=2764752210 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:15 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29025 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:15 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29026 DF PROTO=TCP SPT=61309 DPT=465 SEQ=1908225275 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:16 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29027 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:16 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29028 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:17 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29029 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:18 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29030 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:18 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=103 ID=29031 DF PROTO=TCP SPT=61260 DPT=465 SEQ=2764752210 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:18 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29032 DF PROTO=TCP SPT=61309 DPT=465 SEQ=1908225275 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:21 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29033 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:21 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29034 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:24 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=103 ID=29035 DF PROTO=TCP SPT=61260 DPT=465 SEQ=2764752210 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:24 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29036 DF PROTO=TCP SPT=61309 DPT=465 SEQ=1908225275 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:27 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29037 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:27 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29038 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:40 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29043 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176081 ACK=706028482 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:40 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29044 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600938 ACK=3629955700 WINDOW=256 ACK FIN URGP=0 MARK=0
Sep 12 13:51:59 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29053 DF PROTO=TCP SPT=64332 DPT=465 SEQ=4032361106 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:51:59 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29054 DF PROTO=TCP SPT=64346 DPT=465 SEQ=3056647133 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:02 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29055 DF PROTO=TCP SPT=64332 DPT=465 SEQ=4032361106 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:02 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29056 DF PROTO=TCP SPT=64346 DPT=465 SEQ=3056647133 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:05 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=105 ID=29057 DF PROTO=TCP SPT=59760 DPT=465 SEQ=2629600939 ACK=3629955700 WINDOW=0 ACK RST URGP=0 MARK=0
Sep 12 13:52:05 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=40 TOS=00 PREC=0x00 TTL=103 ID=29058 DF PROTO=TCP SPT=59731 DPT=465 SEQ=824176082 ACK=706028482 WINDOW=0 ACK RST URGP=0 MARK=0
Sep 12 13:52:08 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29059 DF PROTO=TCP SPT=64332 DPT=465 SEQ=4032361106 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:08 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29060 DF PROTO=TCP SPT=64346 DPT=465 SEQ=3056647133 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:43 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29073 DF PROTO=TCP SPT=50859 DPT=465 SEQ=1306259595 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:43 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29074 DF PROTO=TCP SPT=50860 DPT=465 SEQ=4083809190 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:46 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29075 DF PROTO=TCP SPT=50859 DPT=465 SEQ=1306259595 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:46 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29076 DF PROTO=TCP SPT=50860 DPT=465 SEQ=4083809190 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:52 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29077 DF PROTO=TCP SPT=50859 DPT=465 SEQ=1306259595 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:52:52 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29078 DF PROTO=TCP SPT=50860 DPT=465 SEQ=4083809190 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:28 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29092 DF PROTO=TCP SPT=54658 DPT=465 SEQ=1157017562 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:28 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=103 ID=29091 DF PROTO=TCP SPT=54657 DPT=465 SEQ=253093698 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:31 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=105 ID=29094 DF PROTO=TCP SPT=54658 DPT=465 SEQ=1157017562 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:31 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=52 TOS=02 PREC=0x00 TTL=103 ID=29093 DF PROTO=TCP SPT=54657 DPT=465 SEQ=253093698 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:37 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=105 ID=29096 DF PROTO=TCP SPT=54658 DPT=465 SEQ=1157017562 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Sep 12 13:53:37 fwbox denylog: IN=enp2s0 OUT= MAC=78:24:af:84:9a:56:b0:be:76:e9:d4:47:08:00 SRC=23.227.203.129 DST=192.168.128.1 LEN=48 TOS=00 PREC=0x00 TTL=103 ID=29095 DF PROTO=TCP SPT=54657 DPT=465 SEQ=253093698 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

...

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: fail2ban jail
« Reply #8 on: September 12, 2021, 10:22:32 AM »
fwiw am trying to test using netcat from external vps and so far have triggered fail2ban and the external site is currently blocked as expected.
Waited ~ 20 min and tested to see if still banned. Still banned and no log entry in sqsmtpd log but deny log entry in denylog.log as expected.
I'll keep an eye on logs to see if the issue appears again.

For anyone else trying to test a connection I used netcat as follows:
nc -z -v external.ip.addr port

...