Fail2Ban Actions

I’ve also got OSSEC installed on this system to monitor potential intrusions and I’m getting a lot of “multiple authentication failures”.

Someone is trying to hack their way into the emails by trying user names and passwords (a dictionary attack).

This is to be expected to some degree. You’ve got to keep things open for serving email and someone somewhere will try to hack. This is why we have fail2ban, yes?

But I’m not entirely sure that fail2ban is actually banning these IP addresses automatically. I’ve turned on “postfix-sasl” and others in the “filter action jails” via Webmin - the provided defaults - but the “resulting action” column on this is empty. Do I need to explicitly choose the “iptables” action to get IPs banned or is that implicit? If I do choose “iptables” then do I have to enter anything into the “name” / “port” and “other parameters” columns?

Looking into the logs further, it seems to be the “smtp” service they’re targeting but the “rhost=” is empty. I mean, if I could find the IP address in the logs, then I’d ban this particular pest manually, if needs be.