Fail2ban Problem

Home » CentOS » Fail2ban Problem
CentOS 7 Comments

Hello list I’m trying to setup fail2ban specially sasl action but I’m facing problems. I have CentOS-release-5-9.el5.CentOS.1
and fail2ban-0.8.7.1-1.el5.rf installed with selinux disabled

The errors I get are:
INFO Creating new jail ‘sasl-iptables’
fail2ban.comm : WARNING Invalid command: [‘add’, ‘sasl-iptables’,
‘polling’]

I tried gemin against polling but I get the same error. The strange thing is that if I enable SSH action, starts with no problem. So it appears to be problem with sasl action, witch is:

[sasl-iptables]

enabled = true filter = sasl backend = polling action = iptables-multiport[name=sasl, port=”imap,imaps,pop3,pop3s,smtp”, protocol=tcp]
sendmail-whois[name=sasl, dest=my@email]
logpath = /var/log/maillog

The same setup I have in several mailserver (fedora and CentOS 6 distro)
and all work fine.

Does someone faced the same problem?

Thak you in advance.


Untitled Document
————————————————————————
*

7 thoughts on - Fail2ban Problem

  • yes it doesn’t!
    i have never work with strace. Any suggestions?

    thank you


    Untitled Document
    ————————————————————————
    *

  • I run strace -s 512 -f -F -p 9406
    9406 is fail2ban-server pid

    9406 poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP|POLLNVAL}], 1,
    30000) = 0 (Timeout)

    I think that the problem is not in server but the way actions “attached”
    to iptables. Python maybe?

    Thanks again…


    Untitled Document
    ————————————————————————
    *

  • I’m using fail2ban from EPEL since I didn’t have any luck with the package from RPMForge. I standardize on using EPEL if I can (but another admin installed the rpmforge repo earlier).

    I had to tweak the regex for the sasl filter to get it to match failed sasl auth attempts though (EPEL package).

    ]# grep failregex /etc/fail2ban/filter.d/sasl.conf
    # Option: failregex
    #failregex = (?i): warning: [-._\w]+\[\]: SASL
    (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
    [A-Za-z0-9+/]*={0,2})?$
    failregex = (?i): warning: [-._\w]+\[
    \]: SASL
    (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
    [A-Za-z0-9+/\s]*={0,2})?$

    I believe this is exactly what I saw before I bailed on the rpmforge fail2ban packages.

    You don’t need to set it to gamin … the sasl jail (by default) is set to polling (and this works with the EPEL package).


    —~~.~~—
    Mike
    // SilverTip257 //

LEAVE A COMMENT