Fail2Ban already banned

dimgr · May 23, 2024, 5:42am

Hello. vps server with ubuntu 2204.

I get many messages about a problem with Fail2Ban. Echod read various solutions but I didn’t succeed. A help please.

2024-05-23 08:27:57,361 fail2ban.filter 2024-05-23 08:27:53,159 fail2ban.actions 2024-05-23 08:27:53,110 fail2ban.filter 2024-05-23 08:27:47,859 fail2ban.filter 2024-05-23 08:27:34,934 fail2ban.actions 2024-05-23 08:27:34,580 fail2ban.filter 2024-05-23 08:27:33,609 fail2ban.filter 2024-05-23 08:27:24,147 fail2ban.filter 2024-05-23 08:27:17,859 fail2ban.filter 2024-05-23 08:27:12,608 fail2ban.filter 2024-05-23 08:27:07,692 fail2ban.actions 2024-05-23 08:27:07,112 fail2ban.filter 2024-05-23 08:26:55,610 fail2ban.filter 2024-05-23 08:26:51,670 fail2ban.actions 2024-05-23 08:26:51,109 fail2ban.filter 2024-05-23 08:26:41,858 fail2ban.filter 2024-05-23 08:26:34,446 fail2ban.actions 2024-05-23 08:26:34,066 fail2ban.filter 2024-05-23 08:26:28,609 fail2ban.filter 2024-05-23 08:26:23,621 fail2ban.filter 2024-05-23 08:26:12,861 fail2ban.filter 2024-05-23 08:26:11,854 fail2ban.filter 2024-05-23 08:26:01,803 fail2ban.actions [613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:56
[613]: WARNING [postfix-sasl] 194.169.175.20 already banned
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:27:52
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:47
[613]: WARNING [postfix-sasl] 194.169.175.17 already banned
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:34
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:27:33
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:23
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:17
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:27:12
[613]: WARNING [postfix-sasl] 194.169.175.17 already banned
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:27:06
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:26:55
[613]: WARNING [postfix-sasl] 194.169.175.20 already banned
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:26:50
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:26:41
[613]: WARNING [postfix-sasl] 194.169.175.17 already banned
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:26:34
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:26:28
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:26:23
[613]: INFO [postfix-sasl] Found 194.169.175.17 - 2024-05-23 08:26:12
[613]: INFO [postfix-sasl] Found 194.169.175.20 - 2024-05-23 08:26:11
[613]: WARNING [postfix-sasl] 194.169.175.17 already banned

For email
Hi,

The IP 194.169.175.17 has just been banned by Fail2Ban after
3 attempts against postfix-sasl.

Here is more information about 194.169.175.17 :

missing whois program

Regards,

Fail2Ban

Hi,

The IP 194.169.175.20 has just been banned by Fail2Ban after
3 attempts against postfix-sasl.

Here is more information about 194.169.175.20 :

missing whois program

Regards,

Fail2Ban

jimr1 · May 23, 2024, 5:47am

have you got whois installed ?
in your fail2ban jails what have you got set for the banning action ?

stefan1959 · May 23, 2024, 6:54am

Thats a notice from fail2ban, search for the IP in the mail log, do you see any connections to postfix/smtpd after the ban. If not then its been blocked.

dimgr · May 23, 2024, 7:06am

I have no definition, these are from the installation of virtualmin.

dimgr · May 23, 2024, 7:08am

How can I do that?

stefan1959 · May 23, 2024, 7:12am

Search for say 194.169.175.17

dimgr · May 23, 2024, 7:16am

The 2 ip 194.169.175.20 194.169.175.17 they seem banned, but I don’t understand why I’m getting these messages from Fail2Ban??

dimgr · May 23, 2024, 7:20am

I have these results

May 23 10:19:33 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:19:26 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:19:21 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:19:20 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:19:14 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:19:14 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:19:13 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:19:07 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:19:06 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:19:03 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:18:58 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:18:58 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:18:51 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:18:46 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:18:46 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:18:44 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:18:41 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:18:22 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:18:22 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:18:19 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:18:11 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:18:10 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:18:07 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:18:00 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:18:00 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:57 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:17:50 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:17:50 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:45 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:17:41 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:17:40 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:34 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:17:29 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:17:29 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:23 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:17:16 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:17:16 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:11 cp postfix/smtpd[43249]: connect from unknown[194.169.175.17]
May 23 10:17:06 cp postfix/smtpd[44023]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:17:06 cp postfix/smtpd[44023]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 23 10:17:00 cp postfix/smtpd[44023]: connect from unknown[194.169.175.17]
May 23 10:16:55 cp postfix/smtpd[43249]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 23 10:16:55 cp postfix/smtpd[43249]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure

stefan1959 · May 23, 2024, 7:27am

That’s not good.
You are running firewalld? You havn’t changed firewalls?
BTW I never get emails from fail2ban, how did you do that?

dimgr · May 23, 2024, 7:33am

I’ve added this to the jail.local file and I’m getting emails!
Firewall I have CSF

[DEFAULT]
bantime = 10m
findtime = 120s
destemail = email@to-receive-notifications.com
sender = root
sendername = Fail2ban (Or whatever you want)
mta = sendmail
action = %(action_mw)s

stefan1959 · May 23, 2024, 7:37am

Ok, thats the issue, CSF uses iptable and turns off firewalld.
CSF should be doing banning with iptables not fail2ban (fail2ban should also be disabled).
When you installed CSF did you notice fail2ban off?
You need to go through CSF and find the settings for that.

dimgr · May 23, 2024, 7:46am

Yes, that’s right, during the installation of csf, fail2ban disabled it. What should I do? Can’t I have both for greater security?

stefan1959 · May 23, 2024, 7:49am

I’d tell if I was still running it, but been about a year and Ive forgotten
You have the webmin module installed to configure CSF?
There alot in it.

Nope CSF uses iptables, I never even tried as CSF was doing a good job banning.

dimgr · May 23, 2024, 7:56am

Can csf block postfix attacks? Yes I installed the module in webmin

stefan1959 · May 23, 2024, 8:02am

Sure can, you should be able to see bans?

stefan1959 · May 23, 2024, 8:16am

found a bit of a tutorial, you did turn off testing mode.

This one says you need to disable firewalld, I thought the script did that, I will test on a dev machine.

Yep off

dimgr · May 23, 2024, 8:54am

I did quick allow of 2 IP with csf and now I don’t have the messages. So Fail2Ban is not working properly?

stefan1959 · May 23, 2024, 9:17am

Thats correct, your firewallD need to be off and so is Fail2ban.
I install CSF on a dev server so I can help.
This in CSF is where you set auth failures.

By default its off, you need to set LF_TRIGGER to be 1 to turn on.

dimgr · May 23, 2024, 11:55am

Thanks for trying to help me. Ok it was 0 and I made it 1. Now what should I see?

dimgr · May 23, 2024, 12:11pm

After restarting the vps, fail2ban.log has these errors. So maybe this is the problem?

2024-05-23 15:07:08,694 fail2ban.actions [615]: ERROR Failed to execute ban jail ‘postfix-sasl’ action ‘firewallcmd-ipset’ info ‘ActionInfo({‘ip’: ‘194.169.175.20’, ‘family’: ‘inet4’, ‘fid’: <function Actions.ActionInfo. at 0x7faea82a93f0>, ‘raw-ticket’: <function Actions.ActionInfo. at 0x7faea82a9ab0>})’: Error starting action Jail(‘postfix-sasl’)/firewallcmd-ipset: ‘Script error’
2024-05-23 15:07:08,694 fail2ban.utils [615]: ERROR 7faea827e970 – killed with signal 124 (return code: 252)
2024-05-23 15:07:08,694 fail2ban.utils [615]: ERROR 7faea827e970 – stderr: ‘FirewallD is not running’
2024-05-23 15:07:08,694 fail2ban.utils [615]: ERROR 7faea827e970 – stderr: ‘ipset v7.15: Set cannot be created: set with the same name already exists’
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports “$(echo ‘smtp,465,submission,imap,imaps,pop3,pop3s’ | sed s/:/-/g)” -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
2024-05-23 15:07:08,694 fail2ban.utils [615]: ERROR 7faea827e970 – exec: ipset create f2b-postfix-sasl hash:ip timeout 0
2024-05-23 15:07:08,498 fail2ban.actions [615]: NOTICE [postfix-sasl] Restore Ban 194.169.175.20
2024-05-23 15:07:08,498 fail2ban.actions [615]: ERROR Failed to execute ban jail ‘postfix-sasl’ action ‘firewallcmd-ipset’ info ‘ActionInfo({‘ip’: ‘194.169.175.17’, ‘family’: ‘inet4’, ‘fid’: <function Actions.ActionInfo. at 0x7faea82a93f0>, ‘raw-ticket’: <function Actions.ActionInfo. at 0x7faea82a9ab0>})’: Error starting action Jail(‘postfix-sasl’)/firewallcmd-ipset: ‘Script error’
2024-05-23 15:07:08,498 fail2ban.utils [615]: ERROR 7faea827e970 – killed with signal 124 (return code: 252)
2024-05-23 15:07:08,498 fail2ban.utils [615]: ERROR 7faea827e970 – stderr: ‘FirewallD is not running’
2024-05-23 15:07:08,497 fail2ban.utils [615]: ERROR 7faea827e970 – stderr: ‘ipset v7.15: Set cannot be created: set with the same name already exists’
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports “$(echo ‘smtp,465,submission,imap,imaps,pop3,pop3s’ | sed s/:/-/g)” -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
2024-05-23 15:07:08,497 fail2ban.utils [615]: ERROR 7faea827e970 – exec: ipset create f2b-postfix-sasl hash:ip timeout 0
2024-05-23 15:07:08,281 fail2ban.actions [615]: NOTICE [postfix-sasl] Restore Ban 194.169.175.17
2024-05-23 15:07:08,280 fail2ban.actions [615]: ERROR Failed to execute ban jail ‘postfix-sasl’ action ‘firewallcmd-ipset’ info ‘ActionInfo({‘ip’: ‘194.169.175.10’, ‘family’: ‘inet4’, ‘fid’: <function Actions.ActionInfo. at 0x7faea82a93f0>, ‘raw-ticket’: <function Actions.ActionInfo. at 0x7faea82a9ab0>})’: Error starting action Jail(‘postfix-sasl’)/firewallcmd-ipset: ‘Script error’
2024-05-23 15:07:08,280 fail2ban.utils [615]: ERROR 7faea827e970 – killed with signal 124 (return code: 252)
2024-05-23 15:07:08,280 fail2ban.utils [615]: ERROR 7faea827e970 – stderr: ‘FirewallD is not running’