Nigel Aves
2017-02-23 00:42:17 UTC
Is there a way of "knowing" that ipsets are working correctly?
I've looked through the dump file and that does not seem to contain the
information I need. The reason I ask, is that I have changed fail2ban to
use ipsets to pass the information across to shorewall. The reason I
have done this is because the old method stopped working after
implementing "blacklist if connection attempt on unused port"
2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 94.102.60.172
2017-02-22 16:57:33,148 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 89.248.171.234
2017-02-22 16:57:54,557 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:03:52,523 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 185.29.9.175
2017-02-22 17:04:46,613 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:04:47,222 fail2ban.actions [5721]: NOTICE
[postfix-sasl] 91.200.12.121 already banned
2017-02-22 17:11:38,149 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:18:33,651 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
I have tried two different methods in the rules file.
DROP:info net:+f2b $FW >> this was from a tutorial I discovered
and
ADD(f2b:src):info net $FW >> this is a modified version of Tom's
"blacklist if connection ...."
I have created the ipset all OK and get IPs
# ipset list f2b
Name: f2b
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 20048
References: 1
Members:
91.200.12.121 timeout 83162
95.211.209.158 timeout 83163
87.241.171.225 timeout 290
124.228.112.30 timeout 227
181.120.35.243 timeout 78
146.0.235.55 timeout 237
If anyone could point me in the right direct, it would really help. I'm
loosing too much hair scratching my head!
Many Thanks,
Nigel.
I've looked through the dump file and that does not seem to contain the
information I need. The reason I ask, is that I have changed fail2ban to
use ipsets to pass the information across to shorewall. The reason I
have done this is because the old method stopped working after
implementing "blacklist if connection attempt on unused port"
2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 94.102.60.172
2017-02-22 16:57:33,148 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 89.248.171.234
2017-02-22 16:57:54,557 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:03:52,523 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 185.29.9.175
2017-02-22 17:04:46,613 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:04:47,222 fail2ban.actions [5721]: NOTICE
[postfix-sasl] 91.200.12.121 already banned
2017-02-22 17:11:38,149 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:18:33,651 fail2ban.filter [5721]: INFO
[postfix-sasl] Found 91.200.12.121
I have tried two different methods in the rules file.
DROP:info net:+f2b $FW >> this was from a tutorial I discovered
and
ADD(f2b:src):info net $FW >> this is a modified version of Tom's
"blacklist if connection ...."
I have created the ipset all OK and get IPs
# ipset list f2b
Name: f2b
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 20048
References: 1
Members:
91.200.12.121 timeout 83162
95.211.209.158 timeout 83163
87.241.171.225 timeout 290
124.228.112.30 timeout 227
181.120.35.243 timeout 78
146.0.235.55 timeout 237
If anyone could point me in the right direct, it would really help. I'm
loosing too much hair scratching my head!
Many Thanks,
Nigel.
--
from the desk of Nigel
http://soft-focus-imagining.com
http://twin-peaks-video.com
from the desk of Nigel
http://soft-focus-imagining.com
http://twin-peaks-video.com