search

fail2ban / fail2ban

Daemon to ban hosts that cause multiple authentication errors
http://www.fail2ban.org
Other
12.31k stars 1.26k forks source link

fail2ban postfix-sasl ignoring failed logins #1076

Closed johnassel closed 7 years ago

johnassel commented 9 years ago

Normally fail2ban should block entries about failed logins by postfix like: warning: $host[$ip]: SASL PLAIN authentication failed:

"fail2ban-regex systemd-journal /etc/fail2ban/filter.d/postfix-sasl.conf" finds the specified lines so the filter is working. When fail2ban is starting and loading the jail but it doesn't react on failed logins. Not sure if it is because postfix is logging to journald - other postfix filters work without problems. I tried changing "backend = auto" to "backend = systemd" but that didn't work.

jail.conf: [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s filter = postfix-sasl findtime = 6000 bantime = 604800 maxretry = 1

postfix-sasl.conf: [INCLUDES] before = common.conf

[Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefixline)swarning: [-.\w]+[]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]={0,2})?\s$ (?i): warning: [-._\w]+[]: SASL PLAIN authentication failed: ignoreregex = authentication failed: Connection lost to authentication server$

[Init] journalmatch = _SYSTEMD_UNIT=postfix.service

fail2ban-client status postfix-sasl gives me: Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

Anyone has a clue on whats going wrong here?

sebres commented 9 years ago

First you should check the filter will match at all the failures that are logged. Use fail2ban-regex to check it, see 2 examples:

fail2ban-regex '... direct log line with failure ...'  /etc/fail2ban/filter.d/postfix-sasl.conf
fail2ban-regex /path/to/txt-log-file-or-journald-client-output  /etc/fail2ban/filter.d/postfix-sasl.conf

So, check whether the failregex of postfix-sasl filter is still good (nothing was changed in log format).

Secondly, if you have a parallel operating with any text logging (for example with rsyslog), you can change backend to polling (or gamin or pyinotify if these are supported) to check the failures will be recognized within a text log files. If yes, something would be wrong with backend systemd. Additionaly, we need some debug info or errors logged from fail2ban.log. Set your loglevel to DEBUG, restart f2b and try it again (caution - it will log very much).

And please provide always more info: general system / fail2ban version, any errors in fail2ban.log, etc. BTW. Here are recommended steps to troubleshoot problems

johnassel commented 9 years ago

After experimenting I found a solution: It seemed as if fail2ban didn't use systemd to look for the postfix log at this point. The log showed entries like 2015-06-22 11:52:51,211 fail2ban.jail [21952]: INFO Jail 'postfix-sasl' uses pyinotify 2015-06-22 11:52:51,249 fail2ban.server [21952]: INFO Jail postfix-sasl is not a JournalFilter instance After forcing journald with "backend = systemd" in jail.conf in the postfix-sasl jail it worked. Strange enough the other postfix jails are working without that statement and "backend = systemd" as default had been ignored. Still not sure why he is doing this.

sebres commented 9 years ago

After forcing journald with "backend = systemd" in jail.conf in the postfix-sasl jail

Directly change of jail.conf is not so good (have to merge all the time by update to new version). All the local changes should be made in jail.local instead.

and "backend = systemd" as default had been ignored. Still not sure why he is doing this.

Can you provide your f2b-version? And possible an output of fail2ban-client -vvd > output.txt if you change your default in jail.local to systemd again, and in jail postfix-sasl back (or comment it temporary with #)...

johnassel commented 9 years ago

Yes, I've put all my local changes to a .local file. Fail2Ban is v0.9.2 on Fedora 22.

fail2ban-cliend --vvd gives me:

['set', 'syslogsocket', 'auto'] ['set', 'logtarget', '/var/log/fail2ban.log'] ['set', 'loglevel', 'INFO'] ['set', 'dbpurgeage', 86400] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['add', 'apache-auth', 'auto'] ['set', 'apache-auth', 'usedns', 'warn'] ['set', 'apache-auth', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-auth', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-auth', 'maxretry', 5] ['set', 'apache-auth', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-auth', 'logencoding', 'auto'] ['set', 'apache-auth', 'bantime', 600] ['set', 'apache-auth', 'ignorecommand', ''] ['set', 'apache-auth', 'findtime', 600] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH(01797|01630): )?client denied by server configuration: (uri )?\S(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01617: )?user .? authentication failure for "\S": Password Mismatch(, referer: \S+)?$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01618: )?user .? not found(: )?\S(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01614: )?client used wrong authentication scheme: \S(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH\d+: )?Authorization of user \S+ to access \S failed, reason: .$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH0179[24]: )?(Digest: )?user .?: password mismatch: \S(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', "^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH0179[01]: |Digest: )user .*?' in realm.+' (not found|denied by provider): \S(, referer: \S+)?\s$"] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01631: )?user .?: authorization failure for "\S":(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01775: )?(Digest: )?invalid nonce . received - length is not \S+(, referer: \S+)?\s$'] ['set', 'apache-auth', 'addfailregex', "^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01788: )?(Digest: )?realm mismatch - got ._?' but expected.+'(, referer: \S+)?\s*$"] ['set', 'apache-auth', 'addfailregex', "^\[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (:\d{1,5})?\] (AH01789: )?(Digest: )?unknown algorithm._?' received: \S_(, referer: \S+)?\s_$"] ['set', 'apache-auth', 'addfailregex', "^\[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] (AH01793: )?invalid qop.?' received: \S(, referer: \S+)?\s$"] ['set', 'apache-auth', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s_$'] ['set', 'apache-auth', 'addaction', 'iptables-multiport'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-auth', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-auth', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-auth', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'name', 'apache-auth'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-auth', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-badbots', 'auto'] ['set', 'apache-badbots', 'usedns', 'warn'] ['set', 'apache-badbots', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head'] ['set', 'apache-badbots', 'addlogpath', '/var/log/httpd/accesslog', 'head'] ['set', 'apache-badbots', 'maxretry', 1] ['set', 'apache-badbots', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-badbots', 'logencoding', 'auto'] ['set', 'apache-badbots', 'bantime', 172800] ['set', 'apache-badbots', 'ignorecommand', ''] ['set', 'apache-badbots', 'findtime', 600] ['set', 'apache-badbots', 'addfailregex', '^ -."(GET|POST).HTTP."(?:Atomic_Email_Hunter/4.0|atSpider/1.0|autoemailspider|bwh3_user_agent|China Local Browse 2.6|ContactBot/0.2|ContentSmartz|DataCha0s/2.0|DBrowse 1.4b|DBrowse 1.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1.00|ESurf15a 15|ExtractorPro|Franklin Locator 1.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1.0.x|ISC Systems iRc Search 2.1|IUPUI Research Bot v 1.9a|LARBIN-EXPERIMENTAL (efp@gmx.net)|LetsCrawl.com/1.0 +http\://letscrawl.com/|Lincoln State Web Browser|LMQueueBot/0.2|LWP\:\:Simple/5.803|Mac Finder 1.0.xx|MFC Foundation Class Library 4.0|Microsoft URL Control - 6.00.8xxx|Missauga Locate 1.0.0|Missigua Locator 1.9|Missouri College Browse|Mizzu Labs 2.2|Mo College 1.9|MVAClient|Mozilla/2.0 (compatible; NEWT ActiveX; Win32)|Mozilla/3.0 (compatible; Indy Library)|Mozilla/3.0 (compatible; scan4mail (advanced version) http\://www.peterspages.net/?scan4mail)|Mozilla/4.0 (compatible; Advanced Email Extractor v2.xx)|Mozilla/4.0 (compatible; Iplexx Spider/1.0 http\://www.iplexx.at)|Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent|Mozilla/4.0 efp@gmx.net|Mozilla/5.0 (Version\: xxxx Type\:xx)|NameOfAgent (CMS Spider)|NASA Search 1.0|Nsauditor/1.x|PBrowse 1.4b|PEval 1.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1.0.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google.com|ShablastBot 1.0|snap.com beta crawler v0|Snapbot/1.0|Snapbot/1.0 (Snap Shots, +http\://www.snap.com)|sogou develop spider|Sogou Orion spider/3.0(+http\://www.sogou.com/docs/help/webmasters.htm#07)|sogou spider|Sogou web spider/3.0(+http\://www.sogou.com/docs/help/webmasters.htm#07)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2.2|User-Agent\: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)|VadixBot|WebVulnCrawl.unknown/1.0 libwww-perl/5.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1.02|sogou music spider)"$'] ['set', 'apache-badbots', 'addaction', 'iptables-multiport'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'name', 'apache-badbots'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-badbots', 'action', 'iptables-multiport', 'bantime', '172800'] ['add', 'apache-noscript', 'auto'] ['set', 'apache-noscript', 'usedns', 'warn'] ['set', 'apache-noscript', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-noscript', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-noscript', 'maxretry', 6] ['set', 'apache-noscript', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-noscript', 'logencoding', 'auto'] ['set', 'apache-noscript', 'bantime', 600] ['set', 'apache-noscript', 'ignorecommand', ''] ['set', 'apache-noscript', 'findtime', 600] ['set', 'apache-noscript', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S(php([45]|[.-]cgi)?|.asp|.exe|.pl)(, referer: \S+)?\s$'] ['set', 'apache-noscript', 'addfailregex', "^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] script '/\S(php([45]|[.-]cgi)?|.asp|.exe|.pl)\S' not found or unable to stat(, referer: \S+)?\s$"] ['set', 'apache-noscript', 'addaction', 'iptables-multiport'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'name', 'apache-noscript'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-noscript', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-overflows', 'auto'] ['set', 'apache-overflows', 'usedns', 'warn'] ['set', 'apache-overflows', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-overflows', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-overflows', 'maxretry', 2] ['set', 'apache-overflows', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-overflows', 'logencoding', 'auto'] ['set', 'apache-overflows', 'bantime', 600] ['set', 'apache-overflows', 'ignorecommand', ''] ['set', 'apache-overflows', 'findtime', 600] ['set', 'apache-overflows', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] ((AH0013[456]: )?Invalid (method|URI) in request .( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long (longer than \d+)|request failed: erroneous characters after protocol string: ._|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$'] ['set', 'apache-overflows', 'addaction', 'iptables-multiport'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'name', 'apache-overflows'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-overflows', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-nohome', 'auto'] ['set', 'apache-nohome', 'usedns', 'warn'] ['set', 'apache-nohome', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-nohome', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-nohome', 'maxretry', 2] ['set', 'apache-nohome', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-nohome', 'logencoding', 'auto'] ['set', 'apache-nohome', 'bantime', 600] ['set', 'apache-nohome', 'ignorecommand', ''] ['set', 'apache-nohome', 'findtime', 600] ['set', 'apache-nohome', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH00128: )?File does not exist: ./~._'] ['set', 'apache-nohome', 'addaction', 'iptables-multiport'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'name', 'apache-nohome'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-nohome', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-botsearch', 'auto'] ['set', 'apache-botsearch', 'usedns', 'warn'] ['set', 'apache-botsearch', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-botsearch', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-botsearch', 'maxretry', 2] ['set', 'apache-botsearch', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-botsearch', 'logencoding', 'auto'] ['set', 'apache-botsearch', 'bantime', 600] ['set', 'apache-botsearch', 'ignorecommand', ''] ['set', 'apache-botsearch', 'findtime', 600] ['set', 'apache-botsearch', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /var/www/\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup).php|cgi-bin|mysqladmin)[^,](, referer: \S+)?\s$'] ['set', 'apache-botsearch', 'addfailregex', "^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] script '/var/www/\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup).php|cgi-bin|mysqladmin)[^,]' not found or unable to stat(, referer: \S+)?\s_$"] ['set', 'apache-botsearch', 'addaction', 'iptables-multiport'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'name', 'apache-botsearch'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-botsearch', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-fakegooglebot', 'auto'] ['set', 'apache-fakegooglebot', 'usedns', 'warn'] ['set', 'apache-fakegooglebot', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head'] ['set', 'apache-fakegooglebot', 'addlogpath', '/var/log/httpd/access_log', 'head'] ['set', 'apache-fakegooglebot', 'maxretry', 1] ['set', 'apache-fakegooglebot', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-fakegooglebot', 'logencoding', 'auto'] ['set', 'apache-fakegooglebot', 'bantime', 600] ['set', 'apache-fakegooglebot', 'ignorecommand', '/etc/fail2ban/filter.d/ignorecommands/apache-fakegooglebot '] ['set', 'apache-fakegooglebot', 'findtime', 600] ['set', 'apache-fakegooglebot', 'addfailregex', '^ .Googlebot.$'] ['set', 'apache-fakegooglebot', 'addaction', 'iptables-multiport'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'name', 'apache-fakegooglebot'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-fakegooglebot', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-modsecurity', 'auto'] ['set', 'apache-modsecurity', 'usedns', 'warn'] ['set', 'apache-modsecurity', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-modsecurity', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-modsecurity', 'maxretry', 2] ['set', 'apache-modsecurity', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-modsecurity', 'logencoding', 'auto'] ['set', 'apache-modsecurity', 'bantime', 600] ['set', 'apache-modsecurity', 'ignorecommand', ''] ['set', 'apache-modsecurity', 'findtime', 600] ['set', 'apache-modsecurity', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] ModSecurity: ([.?] )Access denied with code [45]\d\d.$'] ['set', 'apache-modsecurity', 'addaction', 'iptables-multiport'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'name', 'apache-modsecurity'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-modsecurity', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'apache-shellshock', 'auto'] ['set', 'apache-shellshock', 'usedns', 'warn'] ['set', 'apache-shellshock', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-shellshock', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-shellshock', 'maxretry', 1] ['set', 'apache-shellshock', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-shellshock', 'logencoding', 'auto'] ['set', 'apache-shellshock', 'bantime', 600] ['set', 'apache-shellshock', 'ignorecommand', ''] ['set', 'apache-shellshock', 'findtime', 600] ['set', 'apache-shellshock', 'addfailregex', '^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01215: )?/bin/(ba)?sh: warning: HTTP.?: ignoring function definition attempt(, referer: \S+)?\s$'] ['set', 'apache-shellshock', 'addfailregex', "^[] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})?] (AH01215: )?/bin/(ba)?sh: error importing function definition for HTTP_._?'(, referer: \S+)?\s_$"] ['set', 'apache-shellshock', 'addaction', 'iptables-multiport'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'"] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'name', 'apache-shellshock'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/**name**', 'Init'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-shellshock', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'dovecot', 'systemd'] ['set', 'dovecot', 'usedns', 'warn'] ['set', 'dovecot', 'maxretry', 5] ['set', 'dovecot', 'addignoreip', '127.0.0.1/8'] ['set', 'dovecot', 'logencoding', 'auto'] ['set', 'dovecot', 'bantime', 600] ['set', 'dovecot', 'ignorecommand', ''] ['set', 'dovecot', 'findtime', 600] ['set', 'dovecot', 'addfailregex', '^\s_(<[^.]+\.[^.]+>)?\s_(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s_(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S\* uid=\S\* euid=\S\* tty=dovecot ruser=\S\* rhost=<HOST>(\s+user=\S_)?\s_$'] ['set', 'dovecot', 'addfailregex', '^\s_(<[^.]+\.[^.]+>)?\s_(?:\S+ )?(?:kernel: \[ _\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s_(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S_>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s_$'] ['set', 'dovecot', 'addfailregex', '^\s_(<[^.]+\.[^.]+>)?\s_(?:\S+ )?(?:kernel: \[ _\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s_(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s_$'] ['set', 'dovecot', 'addfailregex', '^\s_(<[^.]+\.[^.]+>)?\s_(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s_auth-worker\(\d+\): pam\(\S+,<HOST>\): unknown user\s_$'] ['set', 'dovecot', 'addjournalmatch', '_SYSTEMD_UNIT=dovecot.service'] ['set', 'dovecot', 'addaction', 'iptables-multiport'] ['set', 'dovecot', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>'] ['set', 'dovecot', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>'] ['set', 'dovecot', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'dovecot', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'dovecot', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'"] ['set', 'dovecot', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'dovecot', 'action', 'iptables-multiport', 'name', 'dovecot'] ['set', 'dovecot', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/**name**', 'Init'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'dovecot', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'dovecot', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'dovecot', 'action', 'iptables-multiport', 'port', 'pop3,pop3s,imap,imaps,submission,465,sieve'] ['set', 'dovecot', 'action', 'iptables-multiport', 'bantime', '600'] ['add', 'postfix-sasl', 'systemd'] ['set', 'postfix-sasl', 'usedns', 'warn'] ['set', 'postfix-sasl', 'maxretry', 1] ['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-sasl', 'logencoding', 'auto'] ['set', 'postfix-sasl', 'bantime', 604800] ['set', 'postfix-sasl', 'ignorecommand', ''] ['set', 'postfix-sasl', 'findtime', 604800] ['set', 'postfix-sasl', 'addignoreregex', 'authentication failed: Connection lost to authentication server$'] ['set', 'postfix-sasl', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s_(?:\S+ )?(?:kernel: \[ _\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s_warning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]_={0,2})?\s_$'] ['set', 'postfix-sasl', 'addfailregex', '(?i): warning: [-._\w]+\[<HOST>\]: SASL PLAIN authentication failed:'] ['set', 'postfix-sasl', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service'] ['set', 'postfix-sasl', 'addaction', 'iptables-multiport'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'"] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'name', 'postfix-sasl'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/**name**', 'Init'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'port', 'smtp,465,submission,imap3,imaps,pop3,pop3s'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'bantime', '604800'] ['set', 'postfix-sasl', 'addaction', 'sendmail-whois'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> fromuname -n\nDate:LC_TIME=C date +"%a, %d %h %Y %T %z"\nFrom: <sendername> <<sender>>\nTo: <dest>\n\nHi,\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\n\n\nHere is more information about <ip>:\n\n/usr/bin/whois || echo missing whois program\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped onuname -n\nDate:LC_TIME=C date +"%a, %d %h %Y %T %z"\nFrom: <sendername> <<sender>>\nTo: <dest>\n\nHi,\n\nThe jail <name> has been stopped.\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started onuname -n\nDate:LCTIME=C date +"%a, %d %h %Y %T %z"`\nFrom: <>\nTo: \n\nHi,\n\nThe jail has been started successfully.\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f '] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'actionunban', ''] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'actioncheck', ''] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'protocol', 'tcp'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'name', 'postfix-sasl'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'chain', 'INPUT'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'known/sender', 'fail2ban'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'dest', 'root@localhost'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'known/name', 'Init'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'known/sendername', 'Fail2Ban'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'known/dest', 'root'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'sendername', 'Fail2Ban'] ['set', 'postfix-sasl', 'action', 'sendmail-whois', 'sender', 'fail2ban'] ['add', 'cockpit', 'systemd'] ['set', 'cockpit', 'usedns', 'warn'] ['set', 'cockpit', 'maxretry', 10] ['set', 'cockpit', 'addignoreip', '127.0.0.1/8'] ['set', 'cockpit', 'logencoding', 'auto'] ['set', 'cockpit', 'ignorecommand', ''] ['set', 'cockpit', 'findtime', 120] ['set', 'cockpit', 'bantime', 600] ['set', 'cockpit', 'addfailregex', '^\s(<[^.]+.[^.]+>)?\s(?:\S+ )?(?:kernel: [ *\d+.\d+] )?(?:@vserver\S+ )?(?:(?:[\d+])?:\s+[[(]?\S(?:(\S+))?[])]?:?|[[(]?\S(?:(\S+))?[])]?:?(?:[\d+])?:?)?\s(?:[ID \d+ \S+])?\s_pam_unix(cockpit:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost='] ['set', 'cockpit', 'addjournalmatch', '_SYSTEMD_UNIT=cockpit.service'] ['set', 'cockpit', 'addaction', 'iptables-multiport'] ['set', 'cockpit', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'cockpit', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'cockpit', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'cockpit', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'cockpit', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'cockpit', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'cockpit', 'action', 'iptables-multiport', 'name', 'cockpit'] ['set', 'cockpit', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'cockpit', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'cockpit', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'cockpit', 'action', 'iptables-multiport', 'port', '9090'] ['set', 'cockpit', 'action', 'iptables-multiport', 'bantime', '600'] ['set', 'cockpit', 'addaction', 'sendmail-whois'] ['set', 'cockpit', 'action', 'sendmail-whois', 'actionban', 'printf %b "Subject: [Fail2Ban] : banned from uname -n\nDate: LC_TIME=C date +"%a, %d %h %Y %T %z"\nFrom: <>\nTo: \n\nHi,\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\n\n\nHere is more information about :\n\n/usr/bin/whois <ip> || echo missing whois program\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f '] ['set', 'cockpit', 'action', 'sendmail-whois', 'actionstop', 'printf %b "Subject: [Fail2Ban] : stopped on uname -n\nDate: LC_TIME=C date +"%a, %d %h %Y %T %z"\nFrom: <>\nTo: \n\nHi,\n\nThe jail has been stopped.\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f '] ['set', 'cockpit', 'action', 'sendmail-whois', 'actionstart', 'printf %b "Subject: [Fail2Ban] : started on uname -n\nDate: LC_TIME=C date +"%a, %d %h %Y %T %z"\nFrom: <>\nTo: \n\nHi,\n\nThe jail has been started successfully.\n\nRegards,\n\nFail2Ban" | /usr/sbin/sendmail -f '] ['set', 'cockpit', 'action', 'sendmail-whois', 'actionunban', ''] ['set', 'cockpit', 'action', 'sendmail-whois', 'actioncheck', ''] ['set', 'cockpit', 'action', 'sendmail-whois', 'protocol', 'tcp'] ['set', 'cockpit', 'action', 'sendmail-whois', 'name', 'cockpit'] ['set', 'cockpit', 'action', 'sendmail-whois', 'chain', 'INPUT'] ['set', 'cockpit', 'action', 'sendmail-whois', 'known/sender', 'fail2ban'] ['set', 'cockpit', 'action', 'sendmail-whois', 'dest', 'root@localhost'] ['set', 'cockpit', 'action', 'sendmail-whois', 'known/name', 'Init'] ['set', 'cockpit', 'action', 'sendmail-whois', 'known/sendername', 'Fail2Ban'] ['set', 'cockpit', 'action', 'sendmail-whois', 'known/dest', 'root'] ['set', 'cockpit', 'action', 'sendmail-whois', 'sendername', 'Fail2Ban'] ['set', 'cockpit', 'action', 'sendmail-whois', 'sender', 'fail2ban'] ['add', 'apache-400', 'auto'] ['set', 'apache-400', 'usedns', 'warn'] ['set', 'apache-400', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-400', 'addlogpath', '/var/log/httpd/ssl_error_log', 'head'] ['set', 'apache-400', 'maxretry', 10] ['set', 'apache-400', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-400', 'logencoding', 'auto'] ['set', 'apache-400', 'bantime', 3600] ['set', 'apache-400', 'ignorecommand', ''] ['set', 'apache-400', 'findtime', 600] ['set', 'apache-400', 'addfailregex', '(?P[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}) .+ 400 [0-9]+ "'] ['set', 'apache-400', 'addaction', 'iptables-multiport'] ['set', 'apache-400', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-400', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-400', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-400', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-400', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-400', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-400', 'action', 'iptables-multiport', 'name', 'apache-400'] ['set', 'apache-400', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-400', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-400', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-400', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-400', 'action', 'iptables-multiport', 'bantime', '3600'] ['add', 'apache-401', 'auto'] ['set', 'apache-401', 'usedns', 'warn'] ['set', 'apache-401', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-401', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-401', 'maxretry', 20] ['set', 'apache-401', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-401', 'logencoding', 'auto'] ['set', 'apache-401', 'bantime', 3600] ['set', 'apache-401', 'ignorecommand', ''] ['set', 'apache-401', 'findtime', 30] ['set', 'apache-401', 'addfailregex', ' - - [.] "GET /.* HTTP/1.[01]" 401 [0-9]+._$'] ['set', 'apache-401', 'addaction', 'iptables-multiport'] ['set', 'apache-401', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-401', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-401', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-401', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-401', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-401', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-401', 'action', 'iptables-multiport', 'name', 'apache-401'] ['set', 'apache-401', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-401', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-401', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-401', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-401', 'action', 'iptables-multiport', 'bantime', '3600'] ['add', 'apache-403', 'auto'] ['set', 'apache-403', 'usedns', 'warn'] ['set', 'apache-403', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-403', 'addlogpath', '/var/log/httpd/ssl_error_log', 'head'] ['set', 'apache-403', 'maxretry', 10] ['set', 'apache-403', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-403', 'logencoding', 'auto'] ['set', 'apache-403', 'bantime', 3600] ['set', 'apache-403', 'ignorecommand', ''] ['set', 'apache-403', 'findtime', 600] ['set', 'apache-403', 'addfailregex', '(?P[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}) .+ 403 [0-9]+ "'] ['set', 'apache-403', 'addaction', 'iptables-multiport'] ['set', 'apache-403', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-403', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-403', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-403', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-403', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-403', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-403', 'action', 'iptables-multiport', 'name', 'apache-403'] ['set', 'apache-403', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-403', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-403', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-403', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-403', 'action', 'iptables-multiport', 'bantime', '3600'] ['add', 'apache-404', 'auto'] ['set', 'apache-404', 'usedns', 'warn'] ['set', 'apache-404', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'apache-404', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'apache-404', 'maxretry', 100] ['set', 'apache-404', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-404', 'logencoding', 'auto'] ['set', 'apache-404', 'bantime', 3600] ['set', 'apache-404', 'ignorecommand', ''] ['set', 'apache-404', 'findtime', 60] ['set', 'apache-404', 'addfailregex', ' - - [.] "GET /.* HTTP/1.[01]" 404 [0-9]+._$'] ['set', 'apache-404', 'addaction', 'iptables-multiport'] ['set', 'apache-404', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'apache-404', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'apache-404', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'apache-404', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'apache-404', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'apache-404', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-404', 'action', 'iptables-multiport', 'name', 'apache-404'] ['set', 'apache-404', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'apache-404', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-404', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-404', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-404', 'action', 'iptables-multiport', 'bantime', '3600'] ['add', 'w00tw00t-scans', 'auto'] ['set', 'w00tw00t-scans', 'usedns', 'warn'] ['set', 'w00tw00t-scans', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'w00tw00t-scans', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'w00tw00t-scans', 'maxretry', 1] ['set', 'w00tw00t-scans', 'addignoreip', '127.0.0.1/8'] ['set', 'w00tw00t-scans', 'logencoding', 'auto'] ['set', 'w00tw00t-scans', 'bantime', 604800] ['set', 'w00tw00t-scans', 'ignorecommand', ''] ['set', 'w00tw00t-scans', 'findtime', 604800] ['set', 'w00tw00t-scans', 'addfailregex', '^.[client ].w00tw00t.'] ['set', 'w00tw00t-scans', 'addfailregex', '^._GET.w00tw00t.'] ['set', 'w00tw00t-scans', 'addaction', 'iptables-multiport'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'name', 'w00tw00t-scans'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'w00tw00t-scans', 'action', 'iptables-multiport', 'bantime', '604800'] ['add', 'wp-login-scans', 'auto'] ['set', 'wp-login-scans', 'usedns', 'warn'] ['set', 'wp-login-scans', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'wp-login-scans', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'wp-login-scans', 'maxretry', 1] ['set', 'wp-login-scans', 'addignoreip', '127.0.0.1/8'] ['set', 'wp-login-scans', 'logencoding', 'auto'] ['set', 'wp-login-scans', 'bantime', 604800] ['set', 'wp-login-scans', 'ignorecommand', ''] ['set', 'wp-login-scans', 'findtime', 604800] ['set', 'wp-login-scans', 'addfailregex', ' - - [.] "GET /wp-login.php HTTP/1.[01]" 404 [0-9]+._$'] ['set', 'wp-login-scans', 'addaction', 'iptables-multiport'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'name', 'wp-login-scans'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'wp-login-scans', 'action', 'iptables-multiport', 'bantime', '604800'] ['add', 'wp-config', 'auto'] ['set', 'wp-config', 'usedns', 'warn'] ['set', 'wp-config', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'wp-config', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'wp-config', 'maxretry', 1] ['set', 'wp-config', 'addignoreip', '127.0.0.1/8'] ['set', 'wp-config', 'logencoding', 'auto'] ['set', 'wp-config', 'bantime', 604800] ['set', 'wp-config', 'ignorecommand', ''] ['set', 'wp-config', 'findtime', 604800] ['set', 'wp-config', 'addfailregex', ' - - [.] "GET .\wp-config.php HTTP/1.[01]" 404 [0-9]+.$'] ['set', 'wp-config', 'addaction', 'iptables-multiport'] ['set', 'wp-config', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'wp-config', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'wp-config', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'wp-config', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'wp-config', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'wp-config', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'wp-config', 'action', 'iptables-multiport', 'name', 'wp-config'] ['set', 'wp-config', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'wp-config', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'wp-config', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'wp-config', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'wp-config', 'action', 'iptables-multiport', 'bantime', '604800'] ['add', 'cgi-bin', 'auto'] ['set', 'cgi-bin', 'usedns', 'warn'] ['set', 'cgi-bin', 'addlogpath', '/var/log/httpd/error_log', 'head'] ['set', 'cgi-bin', 'addlogpath', '/var/log/httpd/ssl_errorlog', 'head'] ['set', 'cgi-bin', 'maxretry', 1] ['set', 'cgi-bin', 'addignoreip', '127.0.0.1/8'] ['set', 'cgi-bin', 'logencoding', 'auto'] ['set', 'cgi-bin', 'bantime', 604800] ['set', 'cgi-bin', 'ignorecommand', ''] ['set', 'cgi-bin', 'findtime', 604800] ['set', 'cgi-bin', 'addfailregex', '[.] ._ ".* .cgi-bin. HTTP/1.[01]" [0-9]+.$'] ['set', 'cgi-bin', 'addfailregex', ' - - [.] ".* .cgi-bin. HTTP/1.[01]" 404 [0-9]+.$'] ['set', 'cgi-bin', 'addaction', 'iptables-multiport'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'name', 'cgi-bin'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'cgi-bin', 'action', 'iptables-multiport', 'bantime', '604800'] ['add', 'postfix-relay', 'auto'] ['set', 'postfix-relay', 'usedns', 'warn'] ['set', 'postfix-relay', 'maxretry', 1] ['set', 'postfix-relay', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-relay', 'logencoding', 'auto'] ['set', 'postfix-relay', 'ignorecommand', ''] ['set', 'postfix-relay', 'findtime', 6000] ['set', 'postfix-relay', 'bantime', 604800] ['set', 'postfix-relay', 'addfailregex', 'reject: RCPT from (.)[]: 454 4.7.1'] ['set', 'postfix-relay', 'addaction', 'iptables-multiport'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b- 1 -s -j '] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'actionstop', 'iptables -D -p -m multiport --dports -j f2b-\niptables -F f2b-\niptables -X f2b-'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-\niptables -A f2b- -j RETURN\niptables -I -p -m multiport --dports -j f2b-'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b- -s -j '] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L | grep -q 'f2b-[ \t]'"] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'name', 'postfix-relay'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/name', 'Init'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'port', 'smtp,ssmtp'] ['set', 'postfix-relay', 'action', 'iptables-multiport', 'bantime', '604800'] ['start', 'apache-auth'] ['start', 'apache-badbots'] ['start', 'apache-noscript'] ['start', 'apache-overflows'] ['start', 'apache-nohome'] ['start', 'apache-botsearch'] ['start', 'apache-fakegooglebot'] ['start', 'apache-modsecurity'] ['start', 'apache-shellshock'] ['start', 'dovecot'] ['start', 'postfix-sasl'] ['start', 'cockpit'] ['start', 'apache-400'] ['start', 'apache-401'] ['start', 'apache-403'] ['start', 'apache-404'] ['start', 'w00tw00t-scans'] ['start', 'wp-login-scans'] ['start', 'wp-config'] ['start', 'cgi-bin'] ['start', 'postfix-relay']

johnassel commented 9 years ago

Ok, hit the wrong button - shouldn't be closed...

sebres commented 9 years ago

Whats about default backend as you create an output? auto or systemd? Examples in your output: ['add', 'postfix-sasl', 'systemd'] - means this have systemd as backend; ['add', 'postfix-relay', 'auto'] - means this try to recognize backend (auto);

And if you change default backend, you should change per jail for jail other jails back...

cortopy commented 9 years ago

@johnassel After reading about this issue, I'm not sure if the objective is whether or not to use systemd as backend.

If you still want to use it, https://fedoraproject.org/wiki/Fail2ban_with_FirewallD is a good reference.

Have you tried setting banaction = firewallcmd-ipset?

sebres commented 7 years ago

Default backend is systemd for postfix-jails on fedora in our configs:

# paths-fedora.conf:
postfix_backend = systemd
# jail.conf:
backend = %(postfix_backend)s

Please make you changes never in jail.conf and don't copy whole jail.conf into jail.local (jail.local should contain your customizations only). The stock configs can be overwritten by package upgrade. Please take a look at https://github.com/sebres/fail2ban/wiki/Properly-fail2ban-configuration

So I'll close this. Just let me know here, if I'm wrong.