1

Topic: Fail2Ban Not Working?

==== Required information ====
- iRedMail version: Latest
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12
- Related log if you're reporting an issue:
====

Fail2Ban doesn't appear to be working although I have restarted many times - cannot figure out the issue.

Here is the fail2ban.log:

2014-06-29 08:44:31,041 fail2ban.server : INFO   Stopping all jails
2014-06-29 08:44:31,156 fail2ban.actions: WARNING [ssh-iredmail] Unban 36.72.228.72
2014-06-29 08:44:31,178 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2014-06-29 08:44:31,178 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2014-06-29 08:44:31,183 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2014-06-29 08:44:31,191 fail2ban.actions.action: ERROR  iptables -D fail2ban-ssh -s 36.72.228.72 -j DROP returned 100
2014-06-29 08:44:31,195 fail2ban.jail   : INFO   Jail 'ssh-iredmail' stopped
2014-06-29 08:44:32,184 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-roundcube
iptables -F fail2ban-roundcube
iptables -X fail2ban-roundcube returned 100
2014-06-29 08:44:32,184 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' stopped
2014-06-29 08:44:33,158 fail2ban.actions: WARNING [postfix-iredmail] Unban 81.73.188.199
2014-06-29 08:44:33,161 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-postfix returned 100
2014-06-29 08:44:33,161 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2014-06-29 08:44:33,164 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-postfix
iptables -F fail2ban-postfix
iptables -X fail2ban-postfix returned 100
2014-06-29 08:44:33,172 fail2ban.actions.action: ERROR  iptables -D fail2ban-postfix -s 81.73.188.199 -j DROP returned 100
2014-06-29 08:44:33,176 fail2ban.jail   : INFO   Jail 'postfix-iredmail' stopped
2014-06-29 08:44:34,163 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j fail2ban-dovecot
iptables -F fail2ban-dovecot
iptables -X fail2ban-dovecot returned 100
2014-06-29 08:44:34,163 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' stopped
2014-06-29 08:44:34,167 fail2ban.server : INFO   Exiting Fail2ban

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Fail2Ban Not Working?

Does below command work if you execute it manually?

# iptables -n -L INPUT | grep -q fail2ban-ssh

Also, please paste file content of /etc/fail2ban/jail.local here, so that others can help troubleshoot.

3

Re: Fail2Ban Not Working?

How can I tell if the command was successful or not?

Here is jail.local

# File generated by iRedMail (2014.06.26.06.08.21):
#
# Version:  0.8.7
# Project:  http://www.iredmail.org/
#
# Community: http://www.iredmail.org/forum/
#


# Refer to /etc/fail2ban/jail.conf for more examples.
[DEFAULT]
maxretry    = 5
# attention: time is in seconds - the value of 3600 means ONE hour
bantime     = 3600
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[ssh-iredmail]
enabled     = true
filter      = sshd
action      = iptables[name=ssh, port="ssh", protocol=tcp]
#               sendmail-whois[name=ssh, dest=root, sender=fail2ban@mail.com]
logpath     = /var/log/auth.log

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps$
logpath     = /var/log/mail.log
findtime    = 3600

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,s$
logpath     = /var/log/dovecot.log
findtime    = 300

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,s$
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

4

Re: Fail2Ban Not Working?

Hard to be sure that you don't have errors in the jail config as several lines are truncated with s$.

It would also be more informative to see the log from the start sequence, rather than the shutdown.

5

Re: Fail2Ban Not Working?

markpike wrote:

How can I tell if the command was successful or not?

Just show us the terminal output.