1

Topic: fail2ban does not ban ip

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: ubuntu 12.04
- Related log if you're reporting an issue:
====

i used this command fail2ban-client set  postfix-iredmail banip  10.0.0.100

and fail2ban-client status postfix-iredmail

Status for the jail: postfix-iredmail
|- filter
|  |- File list:        /var/log/mail.log 
|  |- Currently failed: 1
|  `- Total failed:     1
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

2

Re: fail2ban does not ban ip

Any related log in /var/log/syslog (or other log files under /var/log/)?

3

Re: fail2ban does not ban ip

i found this in /var/log/fail2ban.log

014-05-18 07:40:59,129 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-05-18 07:41:01,158 fail2ban.filter : INFO   Log rotation detected for /var/log/dovecot.log
2014-05-18 07:41:01,159 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-05-18 07:41:01,159 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-05-18 07:41:01,160 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-05-18 07:41:10,169 fail2ban.filter : INFO   Log rotation detected for /var/log/dovecot.log
2014-05-18 07:50:02,756 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-05-19 08:51:29,524 fail2ban.server : INFO   Stopping all jails
2014-05-19 08:51:29,845 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2014-05-19 08:51:29,941 fail2ban.jail   : INFO   Jail 'ssh-iredmail' stopped
2014-05-19 08:51:30,838 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-roundcube
iptables -F fail2ban-roundcube
iptables -X fail2ban-roundcube returned 100
2014-05-19 08:51:30,933 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' stopped
2014-05-19 08:51:31,215 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-postfix
iptables -F fail2ban-postfix
iptables -X fail2ban-postfix returned 100
2014-05-19 08:51:31,935 fail2ban.jail   : INFO   Jail 'postfix-iredmail' stopped
2014-05-19 08:51:32,839 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-dovecot
iptables -F fail2ban-dovecot
iptables -X fail2ban-dovecot returned 100
2014-05-19 08:51:32,936 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' stopped
2014-05-19 08:51:32,937 fail2ban.server : INFO   Exiting Fail2ban
                                                               

4

Re: fail2ban does not ban ip

Does fail2ban adds iptables rules so that any packet of the banned ip will be droped?

5

Re: fail2ban does not ban ip

noob wrote:

Does fail2ban adds iptables rules so that any packet of the banned ip will be droped?

Yes.

*) Do you have chain 'fail2ban-roundcube' (and some other 'fail2ban-XXX') in iptables? You can check it with command 'iptables -L -n'.
*) Did you try to execute the iptables command manually? Does it work? For example:

# iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-roundcube

6

Re: fail2ban does not ban ip

I have

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve

fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve

fail2ban-roundcube  tcp  --  anywhere             anywhere             multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve

fail2ban-ssh  tcp  --  anywhere             anywhere             tcp dpt:ssh
............

and i can mannually execute iptables commands, so i have to delete all above rules?

7

Re: fail2ban does not ban ip

I guess it's a bug in Fail2ban shipped in Ubuntu 12.04, maybe it was fixed in latest Fail2ban release.

I found a unofficial Q/A on Fail2ban wiki site:

Can someone tell me why I´m getting these errors with fail2ban?
2007-07-07 17:22:09,608 fail2ban.actions.action: CRITICAL Unable to restore environment
2007-07-08 01:57:43,008 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport http -j fail2ban-apache
iptables -F fail2ban-apache
iptables -X fail2ban-apache returned 100
2007-07-08 01:57:43,933 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
I´m using Debian Etch
Thanks!

----
I got similar errors on startup for iptables -N, iptables -A, and iptables -X and it turned out that the directory where the iptables executable resides (/sbin on my system) was was not included in the PATH environment variable. Adding /sbin to the PATH with:
PATH=$PATH:/sbin
in the file /etc/init.d/fail2ban fixed the problem on my Redhat Enterprise Linux 5 system.
--Richard

8

Re: fail2ban does not ban ip

I think i want to disable fall2ban how exactly i'll do this in ubuntu 12.04?

9

Re: fail2ban does not ban ip

You can disable fail2ban service with command 'update-rc.d'. For example:

# update-rc.d -f fail2ban remove

10

Re: fail2ban does not ban ip

ZhangHuangbin wrote:

You can disable fail2ban service with command 'update-rc.d'. For example:

# update-rc.d -f fail2ban remove

What if i'll want to re-enable fail2ban  ( in the furure), what command i have to use?

11

Re: fail2ban does not ban ip

You should read manual page of 'update-rc.d'.