Topic: fail2ban failure
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.3
- Linux/BSD distribution name and version: Ubuntu 14.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: /var/log/fail2ban.log
2016-01-03 17:01:20,249 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2016-01-03 17:01:20,250 fail2ban.jail : INFO Creating new jail 'ssh'
2016-01-03 17:01:20,326 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2016-01-03 17:01:20,382 fail2ban.jail : INFO Initiated 'pyinotify' backend
2016-01-03 17:01:20,387 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2016-01-03 17:01:20,390 fail2ban.filter : INFO Set maxRetry = 6
2016-01-03 17:01:20,393 fail2ban.filter : INFO Set findtime = 600
2016-01-03 17:01:20,394 fail2ban.actions: INFO Set banTime = 600
2016-01-03 17:01:20,495 fail2ban.jail : INFO Jail 'ssh' started
2016-01-03 17:01:21,579 fail2ban.actions: WARNING [ssh] Ban 40.122.126.128
2016-01-03 17:03:57,233 fail2ban.server : INFO Stopping all jails
2016-01-03 17:03:57,390 fail2ban.actions: WARNING [ssh] Unban 40.122.126.128
2016-01-03 17:03:57,415 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2016-01-03 17:03:57,415 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2016-01-03 17:03:57,425 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2016-01-03 17:03:57,445 fail2ban.actions.action: ERROR iptables -D fail2ban-ssh -s 40.122.126.128 -j REJECT --reject-with icmp-port-unreachable returned 100
2016-01-03 17:03:57,457 fail2ban.jail : INFO Jail 'ssh' stopped
2016-01-03 17:03:57,463 fail2ban.server : INFO Exiting Fail2ban
====
iptables -S:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N fail2ban-SOGo
-N fail2ban-default
-N fail2ban-dovecot
-N fail2ban-postfix
-N fail2ban-roundcube
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-SOGo
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-postfix
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-dovecot
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-roundcube
-A INPUT -p tcp -j fail2ban-default
-A INPUT -p tcp -j fail2ban-default
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A fail2ban-SOGo -j RETURN
-A fail2ban-default -j RETURN
-A fail2ban-default -j RETURN
-A fail2ban-dovecot -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-roundcube -j RETURN
service fail2ban status:
* Status of authentication failure monitor
* fail2ban is running
Based on the number of repeat sshd failures fail2ban doesn't seem to be doing anything even though status shows it as running. Also, restarting fail2ban does not result in any new log entries.
Any thoughts?
Thanks,
--Bill
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.