Hi
I have installed Attack Detector and I don't now if it's will work
is there a way I can see if it is working, I can see this in the log
warning: unknown[91.200.12.129]: SASL LOGIN authentication failed: authentication failure
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: lost connection after AUTH from unknown[91.200.12.129]
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: disconnect from unknown[91.200.12.129]
and maybe this is how to see if it's working ?
Claus
I have installed Attack Detector and I don't now if it's will work
is there a way I can see if it is working, I can see this in the log
warning: unknown[91.200.12.129]: SASL LOGIN authentication failed: authentication failure
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: lost connection after AUTH from unknown[91.200.12.129]
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: disconnect from unknown[91.200.12.129]
and maybe this is how to see if it's working ?
Claus
Share this post:
Responses (6)
-
Accepted Answer
ipset is not a service. It is part of the iptables firewall. With fail2ban/app-attack-detector there is no need to save the sets as fail2ban will rebuild them each time it starts from its own database.
If you want to save your own sets you can with something like:
You can then restore it with:ipset save blocklist > /usr/src/ipset_blocklist.save
sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
File names are up to you. This example saves a set called "blocklist".ipset restore ipset_blocklist.save
If you want to load an ipset set on boot up, it is best to force the loading of the module by adding a file /etc/sysconfig/modules/ip_set.modules and in it put:
or the restore may fail if ClearOS tries to run it before ipset has loaded (this is a current bug in app-attack-detector which will be fixed in 7.4 where they force ip_set to load as part of the firewall start up). You may need to make the file executable.modprobe ip_set
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Have a look in /var/log/fail2ban.log for detection (generally the "info" messages) and bans ("warning" messages). The postfix-sasl jail should pick up the first but won't ban until it gets 5 attempts in an hour, but these are manually configurable.
Hi
Yes I can see that but I also think I could see some in iptabels the drop ip that is in the
log for fan2ban, but if I run iptabels -L I can't see any drop lines with the ip's in fan2ban log
Claus -
Accepted Answer
Sometime this year ClearOS started moving over to ipset blocking because it gets round problems with firewall restarting. For big blocks it is way more efficient but the downside is that it is harder to see what is going on. My set up is non-standard so I can't give you the exact answer, but do an "iptables -nvL" and if you don't have any f2b chains near the bottom then you are probably using ipset. From the listing, have a look at the top of the INPUT chain (or do an "iptables -nvL INPUT") and you will see a bunch of rules with "match-set" in them. Note the set name which follows then do an "ipset list set_name" and you see the IP's in that list. This is what is being blocked. You can also test if an IP is in the list with "ipset test set_name IP_address".
Have a look at "man ipset" to see the different ipset commands available/ -
Accepted Answer
Hi
Thank you I have find out it is working now with your help
but I can't restart ipset service like I can restart firewall
is this not on ClearOS 7,3?
and if it is not how can I install it, I have save the ipset and want it to restore when reboot
I have move my block ip networks from iptabels to ipset I think this is the way to go
I have make this 2 rules in iptables and it is working
iptables -I INPUT -m set --match-set myset-network src -j DROP
iptables -I FORWARD -m set --match-set myset-network src -j DROP
and put the block ip network in myset-network in ipset
Claus -
Accepted Answer
Nick Howitt wrote:
ipset is not a service. It is part of the iptables firewall. With fail2ban/app-attack-detector there is no need to save the sets as fail2ban will rebuild them each time it starts from its own database.
If you want to save your own sets you can with something like:
You can then restore it with:ipset save blocklist > /usr/src/ipset_blocklist.save
sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
File names are up to you. This example saves a set called "blocklist".ipset restore ipset_blocklist.save
If you want to load an ipset set on boot up, it is best to force the loading of the module by adding a file /etc/sysconfig/modules/ip_set.modules and in it put:
or the restore may fail if ClearOS tries to run it before ipset has loaded (this is a current bug in app-attack-detector which will be fixed in 7.4 where they force ip_set to load as part of the firewall start up). You may need to make the file executable.modprobe ip_set
Thank you again for a quick answers, I will then wait for the Clearos 7,4 is coming out I don't reboot very often
I will use the ipset restore for now and see how it will work with 7,4
Claus
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »