Background
On some Virtualmin server you may find that Fail2ban is logging events, but soon realize that due to the amount of “already banned” messages appearing something is clearly wrong. This is a big problem because Postfix SASL attacks is probably the most common password guessing script that will be running against your server.
This article gives a number of terminal commands that can be use to troubleshoot when encountering this rather important issue.
Seeing which jails are active
fail2ban-client statusOutput
Status |- Number of jail: 6 `- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth
Getting the status of a jail
fail2ban-client status postfix-saslOutput
Status for the jail: postfix-sasl |- Filter | |- Currently failed: 10 | |- Total failed: 362 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 45.142.120.32
Testing Regular Expression Matching
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf Output
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Failregex: 13 total
|- #) [# of hits] regular expression
| 1) [5] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
| 7) [8] ^from [^[]*\[<HOST>\](?::\d+)?:?
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [200257] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 200257 lines, 0 ignored, 13 matched, 200244 missed
[processed in 14.60 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 200244 lines
References
- https://www.virtualmin.com/node/51312 (What’s wrong with my fail2ban regex/setup?)
- https://www.virtualmin.com/node/66774 (Security Risk: Fail2ban not working on Debian)