Question blocked ip in Fail2ban and iptables in Syslog Watch again

[shopuser]

Hi,

any ip adress are in fail2ban with the status blocked, and also in the ip tables ( per SSH added), but in the sys-log in plesk i can see the ip again with hacking activities, is this normal ?

 

[AYamshanov]

Hi,

If IP-address is blocked by a firewall, you shouldn't see hacking activities in logs at the same time.
Maybe ban was temporary and activities start again after unblock or IP-addresses every time is different.

 

[shopuser]

the ip is blocked in fail2ban, maybe works fail2ban not correctly.

in the log from fail2ban i can see :

2018-02-01 14:22:19,205 fail2ban.actions [1454]: NOTICE [plesk-postfix] 54.xx.xx.xxx already banned

in the sys-log i can see the:

Feb 1 14:17:45 plesk_saslauthd[16120]: No such user 'service@xxx' in mail authorization database
Feb 1 14:17:45 plesk_saslauthd[16120]: failed mail authenticatication attempt for user 'service@xxxxx' (password len=25)
Feb 1 14:17:45 postfix/smtpd[15879]: warning: 220.ip-x-x.eu[xxxxxxxx]: SASL LOGIN authentication failed: authentication failure

 

[AYamshanov]

I suggest check firewall and firewall rules. Is it really active and really filter traffic from the IP-address? Fail2ban does not ban by itself, it is use system's firewall for that.