Watsup fail2ban?


#1

I;m seeing the following entries in the logs about 40 times per minute for the last 6 hours:

Jan 26 07:50:08 mail postfix/smtpd[26719]: connect from unknown[95.211.211.232]
Jan 26 07:50:08 mail postfix/smtpd[26719]: lost connection after AUTH from unknown[95.211.211.232]
Jan 26 07:50:08 mail postfix/smtpd[26719]: disconnect from unknown[95.211.211.232] ehlo=1 auth=0/1 commands=1/2
Jan 26 07:50:13 mail postfix/smtpd[26719]: warning: hostname vps.5.snthostings.com does not resolve to address 95.211.211.232: Name or service not known

Why doesn’t fail2ban block this, so at least there isn’t so much log noise?

Also, I just added mail to the list of stuff not to log to /var/log/syslog.


#2

The logs need to be there as fail2ban reads the logs to see what needs to be blocked or allowed. I would put mail back into syslog.

Otherwise simple bruteforcing / DDoS’ing is quite a bit easier to do.


#3

You mean fail2ban doesn’t read any of the mail logs (mail.info, mail.warn, etc.)?


#4

It reads many logs. Mail included. However there is no reason to remove mail from syslog. It wont take much space and is rotated anyway.

What you should worry about is who owns the 95.211.211.232 up address as they might be doing a brute force attack. Hopefully F2B is actually blocking the attempt.


#5

I visually scan syslog as it does report the more serious errors that occasionally occur on a server, which is why I usually work to reduce log noise in syslog. The above issue would be adding over 230,000 lines to syslog every day, making scanning of a futile activity.

It turned out that postfix/anvil (I’m actually not sure what that is) was somehow alerted and began blocking the attack.

In regards to attackers, I’ve long ago given bothering with who or what is attacking a server as there is just no way to know why the server is attacked. I’ve seen 600 kbps attacks on my gateway for sustained for months.