Failban Error – Centos 7


from logwatch I saw this error :

ERROR   Failed to execute ban jail ‘ssh-iptables’ action ‘iptables’ info ‘CallingMap({‘ipjailmatches’: <function <lambda> at 0x7f8e24d2b578>, ‘matches’: u’Jan 28 00:15:51 saic sshd[30705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=  user=root\n

Failed password for root from port 45430 ssh2\n

Failed password for root from port 45430 ssh2′, ‘ip’: ‘’, ‘ipmatches’: <function <lambda> at 0x7f8e24d2b488>, ‘ipfailures’: <function <lambda> at 0x7f8e24d2bb90>, ‘time’: 1485558957.444361, ‘failures’: 3, ‘ipjailfailures’: <function <lambda> at 0x7f8e24d2b5f0>})’: Error starting action

To solve I follow this :

and than this :

Not necessarily… But if you will really stand-alone fail2ban, so download direct from github or checkout via git (from github). – master – – debian – – repo – git://
Hereafter unzip it and run install:

cd /tmp/f2b
?sudo? python install

So I reinstalled fail2ban, previous backup fine (/etc/fail2ban).

After installation I overwrote /etc/fail2ban with my previous file.

Logwatch Centos 7

useful link to install logwatch:

logwatch –detail Low –mailto –service http –range today

Amavis – Clamd – Centos 7

I’ve ths error in /var/log/maillog:
(!)connect to /var/run/clamd.amavisd/clamd.sock failed

I solved in this way:

Edit /etc/clamd/clamd.conf

LocalSocket /var/run/clamd.amavisd/clamd.sock
User amavis

the User I defined (amavis), have to be the owner of the folder /var/run/clamd.amavisd
in the file /etc/amavisd/amavisd.conf you need the same file before : /var/run/clamd.amavisd/clamd.sock in this position
# ###
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamd.amavisd/clamd.sock“],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Configuration for helo hostname and accept mail without postgray check

add the following to the /etc/postfix/ configuration file

smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_restrictions =

create the file /etc/postfix/helo_access
and add your restriction like example: REJECT
pcname PERMIT

create the database (you don’t need restart postfix)
postmap /etc/postfix/helo_access 

postfix check
restart or reload postfix
/etc/init.d/postfix reload

/etc/init.d/postfix restart

print out configuration
postconf -n

mailq to see the mail in queue

To remove all mail from the queue, enter:
postsuper -d ALL

Accept mail without any postgray check:

vim  /etc/postfix/rbl_override OK OK OK OK OK OK OK

and my

smtpd_recipient_restrictions =
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/rbl_override,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
#check_client_access pcre:/etc/postfix/client_checks.pcre,


after this configuration type:

postmap /etc/postfix/rbl_override

restart postfix


Failban Configuration file for WordPress

a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf

# Fail2Ban filter for WordPress hard failures


before = common.conf


_daemon = (?:wordpress|wp)

failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =

b) set jail.conf


enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”,,]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800

restart failban



Failban Configuration for ISPConfig

vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.

vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.

# Fail2Ban filter for ISPConfig hard failures


before = common.conf


_daemon = (?:ispconfig)

failregex = Failed login for user .* from <HOST>
ignoreregex =

vim /etc/fail2ban/jail.conf

add this line

enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”,,]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.

fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.

service fail2ban restart


Failban configuration

Today I found an error in the regular expression of failban filter :


with this useful site gave me an error so I changed the expression from

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*     

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+\/:]*={0,2})?\s*     

failban conf file : jail.conf


enabled = true
filter = postfix-sasl
action = iptables[name=postfix-sasl, port=”smtp,465,submission,imap3,imaps,pop3,pop3s”, protocol=tcp]
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# “warn” level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
bantime = 10800

here /etc/fail2ban/paths-fedora.conf the configuration of the variable postfix_log and postfix_backend

Linux Centos 7 – Startup Services – Functions

systemctl disable httpd
Running systemctl disable removes the symlink to the service in /etc/systemd/system/*

systemctl status httpd

systemctl list-unit-files

systemctl start application.service

systemctl list-units –type=service
systemctl list-units –all –state=inactive

systemctl mask nginx.service
systemctl unmask nginx.service

systemctl edit nginx.service

To remove any additions you have made, either delete the unit’s .d configuration directory or the modified service file from /etc/systemd/system. For instance, to remove a snippet, we could type:

sudo rm -r /etc/systemd/system/nginx.service.d
To remove a full modified unit file, we would type:

sudo rm /etc/systemd/system/nginx.service
After deleting the file or directory, you should reload the systemd process so that it no longer attempts to reference these files and reverts back to using the system copies. You can do this by typing:

sudo systemctl daemon-reload

very usefull


Migration to Contabo from SeFlow – Nameserver and DNS

Hi to everybody,

I migrated from SeFlow, good service but awful support.

Only in the person of Matteo Berlonghi.

No professional skill, but I understood how works DNS world.

This is wants to be my personal diary.

Difference between Authority and Registrar.

usefull link to find which nameserver are registered to the Authority: or

in the DNS zone (NS record) you have to insert the nameserver that the Registrar sent to Authority.

to see the propagation: