Hide Forgot
Description of problem: The default /etc/fail2ban/filter.d/postfix-rbl.conf is looking for the wrong regex/code according to what postfix logs. /etc/fail2ban/filter.d/postfix-rbl.conf is looking for "...454 4.7.1...". Enabling "reject_rbl_client" in /etc/postfix/main.cf logs offenders as "...554 5.7.1..." which misses the fail2ban rule. Version-Release number of selected component (if applicable): [root@server filter.d]# rpm -q postfix postfix-2.10.1-6.el7.x86_64 [root@server filter.d]# rpm -q fail2ban fail2ban-0.9.5-3.el7.noarch How reproducible: 1) With a default installation of postfix with at least one instance of reject_rbl_client xxx in main.cf (likely in smtpd_recipient_restrictions), 2) And fail2ban/postfix-rbl.conf enabled, 3) fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf All log lines/offenders are missed by the default rule Steps to Reproduce: 1. install postfix and fail2ban/postfix-rbl with at least one instance of "reject_rbl_client xxx" on incoming mail 2. wait for spammers to send mail from RBL'd ip's 3. fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf shows all lines as "missed" Actual results: [root@server filter.d]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf Running tests ============= Use failregex filter file : postfix-rbl, basedir: /etc/fail2ban Use log file : /var/log/maillog Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [5768] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 5768 lines, 0 ignored, 0 matched, 5768 missed [processed in 0.58 sec] Missed line(s): too many to print. Use --print-all-missed to print all 5768 lines Expected results: [root@server filter.d]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf Running tests ============= Use failregex filter file : postfix-rbl, basedir: /etc/fail2ban Use log file : /var/log/maillog Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 2 total |- #) [# of hits] regular expression | 1) [2] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [5768] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 5768 lines, 0 ignored, 2 matched, 5766 missed [processed in 0.51 sec] Additional info: [root@server filter.d]# postconf -d | grep maps_rbl_reject_code maps_rbl_reject_code = 554
Can you please file this upstream at https://github.com/fail2ban/fail2ban/issues ? Thanks.
Done. https://github.com/fail2ban/fail2ban/issues/1634
FEDORA-EPEL-2019-dac149ad76 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.