forum.lissyara.su

Добавлено: **2010-12-09 6:01:15**

По эти статья настроил: http://www.lissyara.su/articles/freebsd ... /fail2ban/

2010-12-08 20:17:52,594 fail2ban.actions: WARNING [exim-ipfw] Ban 116.111.153.131
2010-12-08 20:18:05,956 fail2ban.actions: WARNING [exim-ipfw] Ban 123.18.185.202
2010-12-08 20:18:10,078 fail2ban.actions: WARNING [exim-ipfw] Ban 123.18.240.231
2010-12-08 20:18:33,737 fail2ban.actions: WARNING [exim-ipfw] Ban 94.189.237.243
2010-12-08 20:19:40,630 fail2ban.actions: WARNING [exim-ipfw] Ban 118.71.28.162
2010-12-08 20:19:49,895 fail2ban.actions: WARNING [exim-ipfw] 123.18.185.202 already banned
2010-12-08 20:21:21,480 fail2ban.actions: WARNING [exim-ipfw] Ban 118.68.110.201
2010-12-08 20:22:27,343 fail2ban.actions: WARNING [exim-ipfw] 123.18.185.202 already banned
2010-12-08 20:22:36,602 fail2ban.actions: WARNING [exim-ipfw] Ban 180.242.62.71
2010-12-08 20:25:21,246 fail2ban.actions: WARNING [exim-ipfw] Ban 187.24.149.37

ipfw table 50 list показывает:

Код: Выделить всё

94.189.237.243/32 0
116.111.153.131/32 0
118.68.110.201/32 0
118.71.28.162/32 0
123.18.185.202/32 0
123.18.240.231/32 0
180.242.62.71/32 0
187.24.149.37/32 0

ipfw show показывает:

Код: Выделить всё

01400    92    17744 deny tcp from table(50) to me dst-port 25 via bce1

Вроде правила правильно. Все равно пропускает пакетов.
Почему пишет already banned?

Добавлено: **2010-12-10 18:54:33**

Возможно у тебя в exim логе огромная портянка, и fail2ban долго ее парсит...
и ему попадаются одинаковые адреса.

Добавлено: **2010-12-10 19:08:46**

Да ты прав!
здесь: cat /usr/local/etc/fail2ban/filter.d/exim.conf

Код: Выделить всё

failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address|Listed in cbl.abuseat.org|We aren't an open relay|Warning: SPAM:)

cat /var/log/fail2ban.log

Код: Выделить всё

2010-12-10 21:17:00,641 fail2ban.actions: WARNING [exim-ipfw] Ban 189.73.160.75
2010-12-10 21:20:21,314 fail2ban.actions: WARNING [exim-ipfw] 189.73.160.75 already banned

cat mainlog|grep 189.73.160.75

Код: Выделить всё

2010-12-10 21:14:21 no IP address found for host 189-73-160-75.cslce701.dsl.brasiltelecom.net.br (during SMTP connection from (jpgfulbp) [189.73.160.75])
2010-12-10 21:15:14 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <bektemirov@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:16:07 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <gudkov@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:16:59 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <baymaganbetova@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:17:51 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <fair@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:19:05 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <insp@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:20:19 H=(jpgfulbp) [189.73.160.75] F=<emelinacaryltr@tcfbank.com> rejected RCPT <sergeynn@domain.zx>: REJECT: We aren't an open relay
2010-12-10 21:20:19 SMTP connection from (jpgfulbp) [189.73.160.75] lost while reading message data (header)

Добавлено: **2010-12-10 22:12:12**

здесь кажется не правильно

Код: Выделить всё

failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address|Listed in cbl.abuseat.org|We aren't an open relay|Warning: SPAM:)

в логе повторяется одно и тоже

Добавлено: **2010-12-10 22:20:12**

http://realcode.ru/regexptester/

Добавлено: **2010-12-11 9:44:52**

Проверил, выражения правильно.

forum.lissyara.su

Fail2ban: already banned (ipfw пропускает пакетов?)

Fail2ban: already banned (ipfw пропускает пакетов?)

Re: Fail2ban: already banned (ipfw пропускает пакетов?)

Re: Fail2ban: already banned (ipfw пропускает пакетов?)

Re: Fail2ban: already banned (ipfw пропускает пакетов?)

Re: Fail2ban: already banned (ipfw пропускает пакетов?)

Re: Fail2ban: already banned (ipfw пропускает пакетов?)