1 Topic by japinto84 (edited by japinto84 2021-09-07 02:12:08)

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Topic: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
1.4.0 OPENLDAP edition.

- Deployed with iRedMail Easy or the downloadable installer?
Deployed with Downloadable installer

- Linux/BSD distribution name and version:
Ubuntu 20.04.3

- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
LDAP

- Web server (Apache or Nginx):
NGINX

- Manage mail accounts with iRedAdmin-Pro?
NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

-Problem Summary:
I have recently migrated from an old Ubuntu 18.04 server to a 20.04 server. fail2band used to work on the old server, but it doesn't on the new one.

I tested by purposely putting wrong password in the SOGO UI. This should have banned my IP in the sogo jail, but this did not happen. It would seem that fail2band is not recognizing the failed attempts.
------------------------------------------------------------


root@xxxxxx:/home/ubuntu# cat /etc/fail2ban/jail.d/sogo.local
[sogo]
backend     = polling
journalmatch=
enabled     = true
filter      = sogo-auth
logpath     = /var/log/sogo/sogo.log
action      = nftables-multiport[name=sogo, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]
              banned_db[name=sogo, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]
--------------------------------------------------------------------------------------------------------------
root@xxxxx:/home/ubuntu# cat /etc/fail2ban/filter.d/sogo-auth.conf
# Fail2ban filter for SOGo authentcation
#
# Log file usually in /var/log/sogo/sogo.log

[Definition]

failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$

ignoreregex = "^<ADDR>"

datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
              {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
              ^[^\[]*\[({DATE})
              {^LN-BEG}

#
# DEV Notes:
#
# The error log may contain multiple hosts, whereas the first one
# is the client and all others are poxys. We match the first one, only
#
# Author: Arnd Brandes


---------------------------------------------------------------------------------------------------------------------------------


logs from /var/log/sogo/sogo.log

Sep 05 19:20:51 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:20:51 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.004 - - 0 - 11
Sep 05 19:20:53 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:20:53 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.003 - - 0 - 11
Sep 05 19:20:55 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:20:55 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.003 - - 0 - 11
Sep 05 19:20:58 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:20:58 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.004 - - 0 - 11
Sep 05 19:21:00 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:00 sogod [1136]: x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.003 - - 0 - 11
Sep 05 19:21:02 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:02 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.003 - - 0 - 11
Sep 05 19:21:04 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:04 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.004 - - 0 - 11
Sep 05 19:21:07 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:07 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.011 - - 0 - 11
Sep 05 19:21:08 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:08 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.004 - - 0 - 11
Sep 05 19:21:10 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:10 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/81 0.004 - - 0 - 11
Sep 05 19:21:15 sogod [1136]: SOGoRootPage Login from '71.191.55.153' for user 'dfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 05 19:21:15 sogod [1136]: x.x.x.x "POST /SOGo/connect HTTP/1.0" 403 34/77 0.003 - - 0 - 11
------------------------------------------------------------------------------------------------------------------

Per the fail2ban jain and filters above, these log entries should have banned my IP address. But they aren't:

root@xxxxxl:/home/ubuntu# fail2ban-client status sogo
Status for the jail: sogo
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/sogo/sogo.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

-----------------------------------------------------------------------------------------------

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by japinto84 (edited by japinto84 2021-09-06 08:22:57)

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

root@xxxx:/etc/fail2ban/filter.d# tail /var/log/fail2ban.log

Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Creating new jail 'sogo'
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'sogo' uses poller {}
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Initiated 'polling' backend
Sep  5 22:57:49 deyamail fail2ban.datedetector [11447]: INFO   date pattern `'{^LN-BEG}%ExY(?P<_sep>[-/.])%m(?P=_sep)%d[T ]%H:%M:%S(?:[.,]%f)?(?:\\s*%z)?'`: `{^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T ]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?`
Sep  5 22:57:49 deyamail fail2ban.datedetector [11447]: INFO   date pattern `'{^LN-BEG}(?:%a )?%b %d %H:%M:%S(?:\\.%f)?(?: %ExY)?'`: `{^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?`
Sep  5 22:57:49 deyamail fail2ban.filter [11447]: INFO   maxRetry: 5
Sep  5 22:57:49 deyamail fail2ban.filter [11447]: INFO   findtime: 3600
Sep  5 22:57:49 deyamail fail2ban.actions [11447]: INFO   banTime: 3600
Sep  5 22:57:49 deyamail fail2ban.filter [11447]: INFO   encoding: UTF-8
Sep  5 22:57:49 deyamail fail2ban.filter [11447]: INFO Added logfile: '/var/log/sogo/sogo.log' (pos = 1321087, hash = b8d2dfa0a43b55c4f461abc1d791694cef067090)
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'sshd' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'nginx-http-auth' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'postfix' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'dovecot' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'postfix-pregreet' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'roundcube' started
Sep  5 22:57:49 deyamail fail2ban.jail [11447]: INFO Jail 'sogo' started
Sep  5 22:57:49 deyamail fail2ban-server[11447]: Server ready

3 Reply by Cthulhu (edited by Cthulhu 2021-09-06 08:31:25)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$

^ = start of string
$ = end of string

But at the start of string, there is (for example):
Sep 05 19:20:51

So this won't work.

try this:

failregex = Login from '<HOST>.*' for user '.*' might not have worked

This is WAY less restrictive, but should totally fit.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

Please turn on debug mode in Fail2ban and reproduce the login failure in SOGo again, check fail2ban log file to figure out why it doesn't catch the failure:
https://docs.iredmail.org/debug.fail2ban.html

5 Reply by japinto84

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

same result with or without the modified filter as per @Cthulhu

Logs attached

Mind you that that same filter used to work in Ubuntu 18.

Post's attachments

fail2ban_issue_logs.txt 71.58 kb, 2 downloads since 2021-09-06 

You don't have the permssions to download the attachments of this post.

6 Reply by japinto84 (edited by japinto84 2021-09-06 11:20:18)

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

Guys, just to give a little bit of an update on this issue. I went back to my old Ubuntu18 server and it looks like the sogo jail had the issue there as well.

The only jails that I seen working so far are 'dovecot' and 'postfix-pregreet'. So I'm not sure if sogo ever worked.

At least now I know that the issue is affects only this (or more) jails and not the whole of fail2ban or nftables.

7 Reply by japinto84

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

Guys,
I've been looking at this for a good while now and I can't find anything wrong that jumps at me.

Here are some fore files to look at:

root@deyamail:/etc/fail2ban/jail.d# fail2ban-server -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'DEBUG']
['set', 'logtarget', 'SYSLOG']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbmaxmatches', 10]
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'polling']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$']
['set', 'sshd', 'maxlines', 1]
['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'maxmatches', 5]
['set', 'sshd', 'findtime', '3600']
['set', 'sshd', 'bantime', '3600']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd', 'addaction', 'nftables-multiport']
['multi-set', 'sshd', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 22 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 22 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'sshd'], ['port', '22'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'sshd', 'addaction', 'banned_db']
['multi-set', 'sshd', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup sshd'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 22 tcp sshd <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'sshd'], ['port', '22'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'nginx-http-auth', 'polling']
['set', 'nginx-http-auth', 'usedns', 'warn']
['set', 'nginx-http-auth', 'addfailregex', '^ \\[error\\] \\d+#\\d+: \\*\\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\\"]*"), client: <HOST>, server: \\S*, request: "\\S+ \\S+ HTTP/\\d+\\.\\d+", host: "\\S+"(?:, referrer: "\\S+")?\\s*$']
['set', 'nginx-http-auth', 'datepattern', '{^LN-BEG}']
['set', 'nginx-http-auth', 'maxretry', 5]
['set', 'nginx-http-auth', 'maxmatches', 5]
['set', 'nginx-http-auth', 'findtime', '3600']
['set', 'nginx-http-auth', 'bantime', '3600']
['set', 'nginx-http-auth', 'ignorecommand', '']
['set', 'nginx-http-auth', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'nginx-http-auth', 'logencoding', 'auto']
['set', 'nginx-http-auth', 'addlogpath', '/var/log/nginx/error.log', 'head']
['set', 'nginx-http-auth', 'addaction', 'nftables-multiport']
['multi-set', 'nginx-http-auth', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'nginx'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'nginx-http-auth', 'addaction', 'banned_db']
['multi-set', 'nginx-http-auth', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup nginx'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp nginx <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'nginx'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'postfix', 'polling']
['set', 'postfix', 'usedns', 'warn']
['multi-set', 'postfix', 'addfailregex', ['\\[<HOST>\\]: SASL (PLAIN|LOGIN) authentication failed', 'lost connection after (AUTH|UNKNOWN) from (.*)\\[<HOST>\\]', 'reject: RCPT from .*\\[<HOST>\\]: .*: Relay access denied', 'reject: RCPT from .*\\[<HOST>\\]: .*: Sender address rejected: Domain not found', 'reject: RCPT from .*\\[<HOST>\\]: .*: Helo command rejected: Host not found', 'reject: RCPT from .*\\[<HOST>\\]: .*: Helo command rejected: need fully-qualified hostname', 'reject: RCPT from .*\\[<HOST>\\]: 554 5.7.1', 'reject: RCPT from .*\\[<HOST>\\]:\\d+: 550 5.5.1 Protocol error', 'warning: Illegal address syntax from (.*)\\[<HOST>\\] in RCPT command']]
['set', 'postfix', 'maxretry', 5]
['set', 'postfix', 'maxmatches', 5]
['set', 'postfix', 'findtime', '3600']
['set', 'postfix', 'bantime', '3600']
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'postfix', 'logencoding', 'auto']
['set', 'postfix', 'addlogpath', '/var/log/mail.log', 'head']
['set', 'postfix', 'addaction', 'nftables-multiport']
['multi-set', 'postfix', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'postfix'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'postfix', 'addaction', 'banned_db']
['multi-set', 'postfix', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup postfix'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp postfix <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'postfix'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'dovecot', 'polling']
['set', 'dovecot', 'usedns', 'warn']
['multi-set', 'dovecot', 'addfailregex', ['Authentication failure.* rip=<HOST>', '\\(auth failed.* rip=<HOST>']]
['set', 'dovecot', 'maxretry', 5]
['set', 'dovecot', 'maxmatches', 5]
['set', 'dovecot', 'findtime', '3600']
['set', 'dovecot', 'bantime', '3600']
['set', 'dovecot', 'ignorecommand', '']
['set', 'dovecot', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'dovecot', 'logencoding', 'auto']
['set', 'dovecot', 'addlogpath', '/var/log/dovecot/imap.log', 'head']
['set', 'dovecot', 'addlogpath', '/var/log/dovecot/pop3.log', 'head']
['set', 'dovecot', 'addlogpath', '/var/log/dovecot/sieve.log', 'head']
['set', 'dovecot', 'addlogpath', '/var/log/dovecot/dovecot.log', 'head']
['set', 'dovecot', 'addlogpath', '/var/log/dovecot/lda.log', 'head']
['set', 'dovecot', 'addaction', 'nftables-multiport']
['multi-set', 'dovecot', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'dovecot'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'dovecot', 'addaction', 'banned_db']
['multi-set', 'dovecot', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup dovecot'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp dovecot <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'dovecot'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'postfix-pregreet', 'polling']
['set', 'postfix-pregreet', 'usedns', 'warn']
['set', 'postfix-pregreet', 'addignoreregex', 'postscreen\\[\\d+\\]: PREGREET .* from \\[<HOST>\\]:\\d+: (EHLO|HELO) we-guess.mozilla.org']
['set', 'postfix-pregreet', 'addfailregex', 'postscreen\\[\\d+\\]: PREGREET .* from \\[<HOST>\\]:\\d+:']
['set', 'postfix-pregreet', 'maxretry', 1]
['set', 'postfix-pregreet', 'maxmatches', 1]
['set', 'postfix-pregreet', 'findtime', '3600']
['set', 'postfix-pregreet', 'bantime', '3600']
['set', 'postfix-pregreet', 'ignorecommand', '']
['set', 'postfix-pregreet', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'postfix-pregreet', 'logencoding', 'auto']
['set', 'postfix-pregreet', 'addlogpath', '/var/log/mail.log', 'head']
['set', 'postfix-pregreet', 'addaction', 'nftables-multiport']
['multi-set', 'postfix-pregreet', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'postfix-pregreet'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'postfix-pregreet', 'addaction', 'banned_db']
['multi-set', 'postfix-pregreet', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup postfix-pregreet'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp postfix-pregreet <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'postfix-pregreet'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'roundcube', 'polling']
['set', 'roundcube', 'usedns', 'warn']
['multi-set', 'roundcube', 'addfailregex', ['roundcube.* Failed login for (.*) from <HOST>\\. AUTHENTICATE LOGIN', 'roundcube.* Failed login for (.*) from <HOST> in session', 'roundcube.* Failed login .*\\(X-Forwarded-For: <HOST>\\) in session', 'roundcube.* Error: Login failed for (.*) from <HOST>\\. (LOGIN: Authentication failed|AUTHENTICATE LOGIN)']]
['set', 'roundcube', 'maxretry', 5]
['set', 'roundcube', 'maxmatches', 5]
['set', 'roundcube', 'findtime', '3600']
['set', 'roundcube', 'bantime', '3600']
['set', 'roundcube', 'ignorecommand', '']
['set', 'roundcube', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'roundcube', 'logencoding', 'auto']
['set', 'roundcube', 'addlogpath', '/var/log/mail.log', 'head']
['set', 'roundcube', 'addaction', 'nftables-multiport']
['multi-set', 'roundcube', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'roundcube'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'roundcube', 'addaction', 'banned_db']
['multi-set', 'roundcube', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup roundcube'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp roundcube <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'roundcube'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['add', 'sogo', 'polling']
['set', 'sogo', 'usedns', 'warn']
['set', 'sogo', 'addfailregex', "SOGoRootPage Login from '<HOST>' for user '.*' might not have worked - password policy"]
['set', 'sogo', 'maxretry', 5]
['set', 'sogo', 'maxmatches', 5]
['set', 'sogo', 'findtime', '3600']
['set', 'sogo', 'bantime', '3600']
['set', 'sogo', 'ignorecommand', '']
['set', 'sogo', 'addignoreip', '127.0.0.1', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
['set', 'sogo', 'logencoding', 'auto']
['set', 'sogo', 'addlogpath', '/var/log/sogo/sogo.log', 'head']
['set', 'sogo', 'addaction', 'nftables-multiport']
['multi-set', 'sogo', 'action', 'nftables-multiport', [['actionstart', "nft add table inet f2b-table\nnft -- add chain inet f2b-table f2b-chain \\{ type filter hook input priority -1 \\; \\}\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone"], ['actionstop', "{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\n{ nft list table inet f2b-table | grep -qP '^\\s+set\\s+'; } || {\nnft delete table inet f2b-table\n}"], ['actionflush', "{ nft flush set inet f2b-table <addr_set> 2> /dev/null; } || {\n{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\\s+.*\\s+\\Khandle\\s+(\\d+)$'; } | while read -r hdl; do\nnft delete rule inet f2b-table f2b-chain $hdl; done\nnft delete set inet f2b-table <addr_set>\nnft add set inet f2b-table <addr_set> \\{ type <addr_type>\\; \\}\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\nnft add rule inet f2b-table f2b-chain $proto dport \\{ 80,443,25,587,465,110,995,143,993,4190 \\} <addr_family> saddr @<addr_set> reject\ndone\n}"], ['actioncheck', "nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \\t]'"], ['actionban', 'nft add element inet f2b-table <addr_set> \\{ <ip> \\}'], ['actionunban', 'nft delete element inet f2b-table <addr_set> \\{ <ip> \\}'], ['name', 'sogo'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'nftables-multiport'], ['table', 'f2b-table'], ['table_family', 'inet'], ['chain', 'f2b-chain'], ['chain_type', 'filter'], ['chain_hook', 'input'], ['chain_priority', '-1'], ['addr_type', 'ipv4_addr'], ['blocktype', 'reject'], ['nftables', 'nft'], ['addr_set', 'addr-set-<name>'], ['addr_family', 'ip'], ['addr_family?family=inet6', 'ip6'], ['addr_type?family=inet6', 'ipv6_addr'], ['addr_set?family=inet6', 'addr6-set-<name>']]]
['set', 'sogo', 'addaction', 'banned_db']
['multi-set', 'sogo', 'action', 'banned_db', [['actionstart', ''], ['actionstop', '/usr/local/bin/fail2ban_banned_db cleanup sogo'], ['actioncheck', ''], ['actionban', '/usr/local/bin/fail2ban_banned_db ban <ip> 80,443,25,587,465,110,995,143,993,4190 tcp sogo <ipjailfailures> <ipjailmatches>'], ['actionunban', '/usr/local/bin/fail2ban_banned_db unban <ip>'], ['name', 'sogo'], ['port', '80,443,25,587,465,110,995,143,993,4190'], ['protocol', 'tcp'], ['actname', 'banned_db']]]
['start', 'sshd']
['start', 'nginx-http-auth']
['start', 'postfix']
['start', 'dovecot']
['start', 'postfix-pregreet']
['start', 'roundcube']
['start', 'sogo']


-------------------------------------------------------------------------------------------------------------------
Testing the sogo filter used above, I can see that is working

root@deyamail:/etc/fail2ban/jail.d# /usr/bin/fail2ban-regex /var/log/sogo/sogo.log "^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$" --print-all-matched

Running tests
=============

Use   failregex line : ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?...
Use         log file : /var/log/sogo/sogo.log
Use         encoding : UTF-8


Results
=======

Failregex: 186 total
|-  #) [# of hits] regular expression
|   1) [186] ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [14272] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [67] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 14405 lines, 0 ignored, 186 matched, 14219 missed
[processed in 0.84 sec]

|- Matched line(s):
|  Sep 04 23:51:02 sogod [10692]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 04 23:57:59 sogod [10695]: SOGoRootPage Login from 'x.x.x.x' for user 'mirna@pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:45:49 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'ttes3@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:53:19 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:57:17 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'ttestsrewrwe' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:58:09 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:58:09 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:58:33 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 15:58:33 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:01:17 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:01:17 sogod [1080]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:04:23 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:04:23 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'test@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:00 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:03 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:05 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:07 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:11 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:13 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:20 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:23 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:12:27 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:20 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:31 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:34 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:37 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:40 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:13:57 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:14:01 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:14:03 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:14:07 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:05 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:08 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:10 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:12 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:14 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:16 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:19 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:21 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:15:23 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:16:08 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'kjlkjlkj' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:16:22 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:16:28 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:16:30 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:20:04 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:20:13 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:20:21 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:20:32 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 16:20:40 sogod [1079]: SOGoRootPage Login from 'x.x.x.x' for user 'jesus.pinto@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:26:53 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:05 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:14 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:18 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:22 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:25 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:29 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:27:32 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:34:15 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:11 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:28 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:34 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:38 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:41 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:44 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:46 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:48 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:51 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:53 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:57 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:38:59 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:39:01 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:39:03 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:39:06 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'ttest4@deyablue.com' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 17:45:00 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 18:57:30 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 18:57:32 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 18:57:35 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 18:57:37 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 18:57:40 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'fsfsdfs' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:11:16 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:11:18 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:11:21 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:11:24 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:29 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:31 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:33 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:35 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:38 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:41 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:43 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:46 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:49 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:12:52 sogod [1149]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:20:51 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:20:53 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:20:55 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:20:58 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:00 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:02 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:04 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:07 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:08 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:10 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sdffdsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:15 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'dfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 19:21:18 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'dfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:26 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:29 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:32 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:35 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:38 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:41 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:43 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:46 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:48 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:51 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:06:57 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:07:00 sogod [1136]: SOGoRootPage Login from 'x.x.x.x' for user 'sfdfsdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:11:55 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:11:59 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:02 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:14 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:17 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:21 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:27 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:31 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:12:33 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:17 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:19 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:22 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:25 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:27 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 22:19:29 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'dfasfasdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:29:51 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:30:24 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:30:27 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:31:36 sogod [1150]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:31:39 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:31:41 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:31:44 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:31:47 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:44:32 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:44:34 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:44:36 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:45:55 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:45:57 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:46:00 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:46:02 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:47:16 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:13 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:15 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:17 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:20 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:22 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:52:24 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 05 23:55:23 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:01 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:03 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:06 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:08 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:10 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:14:13 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:22:48 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:22:51 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:22:54 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:22:56 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:22:58 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:23:00 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:24:16 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:30:36 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:30:37 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:30:40 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:30:42 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:30:44 sogod [1162]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdff' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 00:33:19 sogod [1090]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsdfsaf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 09:25:22 sogod [1090]: SOGoRootPage Login from 'x.x.x.x' for user 'gdfgfdgdfg' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 09:25:45 sogod [1090]: SOGoRootPage Login from 'x.x.x.x' for user 'gdfgfdgdfg' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 09:25:55 sogod [1090]: SOGoRootPage Login from 'x.x.x.x' for user 'gdfgfdgdfg' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 09:26:06 sogod [1090]: SOGoRootPage Login from 'x.x.x.x' for user 'gdfgfdgdfg' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:11:10 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:11:47 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:11:57 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:12:18 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:20:53 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sdfsfdf' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:21:01 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfsd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:21:22 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfsd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
|  Sep 06 11:21:26 sogod [37644]: SOGoRootPage Login from 'x.x.x.x' for user 'sfsdfsd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 14219 lines
root@deyamail:/etc/fail2ban/jail.d#

8 Reply by japinto84

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

likewise, the fail2ban log at DEBUG level doesn't provide any information as to why this is happening

--------------------------------------------------------------------------------

These are the logs entries while I'm attempting to log into SOGO with wrong credentials
tail -f /var/log/fail2ban.log
Sep  6 16:00:01 deyamail fail2ban.filterpoll message repeated 8 times: [ [38340]: DEBUG /var/log/sogo/sogo.log has been modified]
Sep  6 16:00:01 deyamail fail2ban.filterpoll [38340]: DEBUG /var/log/auth.log has been modified
Sep  6 16:00:02 deyamail fail2ban.filterpoll [38340]: DEBUG /var/log/auth.log has been modified
Sep  6 16:00:07 deyamail fail2ban.filterpoll [38340]: DEBUG /var/log/sogo/sogo.log has been modified

----------------------------------------------------------------------------------------------------------------
I'm attaching log entries when restarting the fail2ban service

Post's attachments

fail2banRestart.logs.txt 70.11 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

9 Reply by japinto84

  • japinto84
  • Member
  • Offline
  • Registered: 2021-09-06
  • Posts: 9

Re: [SOLVED]Fail2ban not banning IPs on fresh installation on Ubuntu 20.04

Alright guys. I think I figured this out.

So it turns out that fail2ban relies on the long entry time stamp to determine if it's looking at an recent entry or not.

the timezone in my server was set to UTC and the timezone on the Sogo logs was set to EST. After chanigng the timezone to UTC in the /etc/sogo/sogo.conf

-----------------------------------------------------------------------------------------------

And now, it works as expected

root@deyamail:/etc/fail2ban/jail.d# fail2ban-client status sogo
Status for the jail: sogo
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/sogo/sogo.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   x.x.x.x
-------------------------------------------------------------------------------

I don't know how many more jails are affected by this, but it's something to watch out for. Unless someone has anything more to add. I'm considering this resolved!

Thank  you all for your input