Fail2ban bannie non bannie

kmchen · Avril 8, 2021, 8:36am

Bonjour,
Un petit pb avec fial2ban. J’ai une IP qui génère une erreur de log Postfix quasiment toutes les minutes depuis des jours:

fail2ban > grep 212.70.149.71 /var/log/mail.warn
Apr  4 00:00:48 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  4 00:02:28 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  4 00:04:08 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
...
Apr  8 10:10:16 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:11:55 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:13:35 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:15:09 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:16:50 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:23:16 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr  8 10:24:56 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Fail2ban la déclare bannie mais je ne la vois pas, ni en recidive, ni dans iptables:

fail2ban > date
jeudi 8 avril 2021, 10:25:38 (UTC+0200)
 fail2ban > fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     34018
|  `- File list:        /var/log/mail.warn
`- Actions
   |- Currently banned: 1
   |- Total banned:     30
   `- Banned IP list:   212.70.149.71

 fail2ban > fail2ban-client status recidive|grep 212.70.149.71
 fail2ban > iptables -S |grep 212.70.149.71
 fail2ban >

La configuration jail.conf:

[DEFAULT]
maxretry = 3
bantime  = 3600
findtime  = 600
...
[postfix-sasl]
enabled = true
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.warn
backend  = %(postfix_backend)s
...
[recidive]
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 14d
findtime = 1d
...

fail2ban > cat filter.d/postfix-sasl.conf 
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko

et fail2ban.log:

...
2021-04-08 10:20:03,027 fail2ban.actions        [27312]: WARNING [postfix-sasl] 212.70.149.71 already banned
2021-04-08 10:21:40,574 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:21:40
2021-04-08 10:23:16,705 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:23:16
2021-04-08 10:24:56,041 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:24:56
2021-04-08 10:24:56,614 fail2ban.actions        [27312]: WARNING [postfix-sasl] 212.70.149.71 already banned
2021-04-08 10:26:32,374 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:26:32
2021-04-08 10:28:10,508 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:28:10
2021-04-08 10:29:49,845 fail2ban.filter         [27312]: INFO    [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:29:49

Si quelqu’un peut me mettre sur la voie, merci