Fail2ban doesn’t have logging to show you that a which “user” gets blocked.
The reason is Fail2ban is a low level utility that works across many technologies, mostly on IP and log file level. The log file level typically uses regular expressions. So to get Fail2ban to for example log which IMAP or SMTP user is blocked, is not possible.
Instead the way to go is to interrogate two log files:
- The fail2ban log file
- The system log, e.g. syslog or /var/log/messages or the authentication log
In this example we’ll show you a fruitless attempt to see which user is causing an entire network to be blocked from one of our servers. The reason why this attempt was fruitless is because the actual problem was is that there is an email client on the end-users’ network that have SMTP configured without authentication. So in effect, it tries to connect to our outgoing server without a username. So in fact, checking for authentication failures doesn’t work. But do note in some circumstances you will see the actual user, just not this time.
Table of Contents
How to check the Fail2ban log file for bans
This would be step one to get the correct information on THE TIME OF THE INCIDENT.
cat /var/log/fail2ban.log | grep "Ban a.b.c.d" 2021-07-22 09:13:05,428 fail2ban.actions : NOTICE [postfix-sasl] Ban a.b.c.d 2021-07-22 09:13:05,707 fail2ban.actions : NOTICE [postfix-sasl2] Ban a.b.c.d
We can see the time is
09:13:05. Since bans would most likely occur after security logging, we can assume that the problem occurred a few milliseconds or a second or two before
How to check Syslog for Authentication Failures
The next grep is more tricky, because on a really busy server you might have 100s of events per minute. But here is a start:
at /var/log/syslog | grep "a.b.c.d" Jul 22 09:08:50 mail-server dovecot: pop3-login: Login: [email protected], method=PLAIN, rip=a.b.c.d, lip=z.y.x.w, mpid=1416314, session=<ieZ79bDHEchpuFzk> Jul 22 09:13:01 mail-server postfix/smtpd: warning: hostname a-b-c-d.north.dsl.telkomsa.net does not resolve to address a.b.c.d: Name or service not known Jul 22 09:13:01 mail-server postfix/smtpd: connect from unknown[a.b.c.d] Jul 22 09:13:03 mail-server postfix/smtpd: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure Jul 22 09:13:04 mail-server postfix/smtpd: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure Jul 22 09:13:06 mail-server postfix/smtpd: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure Jul 22 09:13:08 mail-server postfix/smtpd: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure Jul 22 09:13:08 mail-server postfix/smtpd: lost connection after AUTH from unknown[a.b.c.d] Jul 22 09:13:08 mail-server postfix/smtpd: disconnect from unknown[a.b.c.d] ehlo=1 auth=0/4 commands=1/5
If you’ve followed along you will see that the events from
09:13:04 most likely caused Fail2ban to kick in, after which it would have implemented a firewall rule. That rule implementation probably takes another second or two including firewall apply, and that would explain events
There you go! Masterclass in network administration. AKA, find a needle in a haystack 😉
Script to Check for Bans
Here is a Bash script to check for bans.
syslog.1 is used, which on our system shows the day before. If you want to see today, use
#!/bin/bash # Obtain an IP address from the command line ip_address=$1 echo "Now searching for $ip_address in /var/log/fail2ban.log" cat /var/log/fail2ban.log | grep "Ban $ip_address" echo "Please enter the first four digits of the date and time of the Ban outputted above, including the colon. E.g. 26 21:03" read the_log_date_and_time cat /var/log/syslog.1 | egrep "$the_log_date_and_time:.*$ip_address"
Most of the magic in the above script is the
egrep command which allows regular expressions. In this case:
> Find the log date and time as specified on the input then match any character till you find the ip address.