My apologies: Removed to avoid confusion…
Just reread what I posted, and no, the documentation in the code from the config I posted is pretty clear. Again, this is about carrying over direct rules created by Fail2ban on reload.
In previous releases some runtimeconfiguration was retained during a reload,
Setting this to NO fixes the problem. Maybe not the best way, but, a way.
My apologies: Removed to avoid confusion…
Well, jail.local has already changed for longer times and has been restarted, of course, without any difference.
All this already before opening the topic.
Regarding spam, I don’t suspect it but I’m sure of it and I don’t know how to change the configuration and block them, otherwise I wouldn’t be here asking for help…
Do you know the IP address they are using? If so do this from the command line for a quick fix.
For a single IP (of course you change the IP):
firewall-cmd --add-rich-rule="rule family='ipv4' source address='103.125.190.102' drop"
For a block of IP’s (Again changing the IP):
firewall-cmd --add-rich-rule="rule family='ipv4' source address='141.98.11.0/24' drop"
Please share your jail.local.
Here is one setup I use in a VPS and work as is on CentOS/Rocky Linux.
You may need to adjust the mail log location, other than that you could set on each jail: maxretry = 3 and bantime = 5m and to do a quick check
As always backup your jail.local before do the changes so you can go back if needed.
/etc/fail2ban/jail.local
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
bantime = 2d
#logpath = /var/log/maillog
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
mode = aggressive
maxretry = 20
findtime = 4h
bantime = 30m
[postfix-blacklist]
enabled = true
port = smtp,465,submission
filter = postfix[mode=rbl]
logpath = /var/log/maillog
findtime = 6h
bantime = 1d
maxretry = 1
[postfix-connection]
enabled = true
filter = postfix[mode=ddos]
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 2d
logpath = /var/log/maillog
findtime = 5m
maxretry = 15
[postfix-rejected]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 7d
logpath = %(postfix_log)s
maxretry = 1
findtime = 1h
[postfix-sasl]
filter = postfix[mode=auth]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 2d
#logpath = /var/log/maillog
logpath = %(postfix_log)s
backend = %(postfix_backend)s
findtime = 8h
maxretry = 10
[postfix-auth]
filter = postfix[mode=auth]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
bantime = 2d
#logpath = /var/log/maillog
logpath = %(postfix_log)s
backend = %(postfix_backend)s
findtime = 4m
maxretry = 6
logpath can be the path or the variable.
on webmin, tools, terminal you can run following commands:
After changes to jail.local, restart fail2ban & firewall
sudo systemctl restart fail2ban
sudo systemctl restart firewalld (CentOS/Rocky Linux)
To release all ip and start banning again:
sudo fail2ban-client unban --all
To check banned ips:
fail2ban-server status dovecot
fail2ban-server status postfix-connection
fail2ban-server status postfix-sasl
fail2ban-server status postfix-blacklist
fail2ban-server status postfix-rejected
To stop spam (received) check this post Fighting Spam & Malware with Virtualmin
To stop spam sent I will create a new post this week and hopefully will have some help. For now it may help to set a rate limit at Virtualmin, Email settings, Mail Rate Limit. This won’t stop spam but will give you time a litle time to fix it and above all you will notice right away when someone is sending spam as nobody will be able to send email.
I can help troubleshooting after 7pm CST if you provide me access.
1 Like
for those people who have their firewall & fail2ban out of sync, coded up a quick solution
fail2ban.zip (694 Bytes)
just unzip to /var/log and run php fb.php <jail-name> if you omit the jail name the script will return all valid jails for you to choose from, I tend to use recidive but can use whatever jail to ban to.
Don’t forget this needs to be ran as root.
I don’t have a static IP
In the meantime, I’m sharing the jail.local, let me know if any changes are needed.
As for access, thank you but I prefer to keep track of every change.
In the meantime, I’m going to set limits on the mail server, I thought about it but then it slipped my mind, thanks
[sshd]
enabled = true
port = ssh
bantime = 12w
[webmin-auth]
enabled = true
port = 10000
bantime = 12w
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
bantime = 12w
[postfix]
enabled = true
bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 24 84 720 1000
findtime = 1d
bantime.maxtime = 12w
port = 0-65535
maxretry = 5
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
bantime = 12w
[postfix-sasl]
enabled = true
bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 24 84 720 1000
findtime = 1d
bantime.maxtime = 12w
port = 0-65535
maxretry = 5
Thanks, I’ll visualize it later and if I feel able, I’ll definitely give it a try 
I confirm that if you unban everyone, Fail2ban resumes banning correctly, however IPs can continue to try, already banned IPs continue to appear in the fail2ban.log
I’ve this new errors:
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- exec: ipset create f2b-postfix hash:ip timeout 0
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo '0-65535' | sed s/:/-/g)" -m set --match-set f2b-postfix src -j REJECT --reject-with icmp-port-unreachable
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: 'ipset v7.10: Set cannot be created: set with the same name already exists'
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables): invalid port/service `0-65535' specified"
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: 'Error occurred at line: 2'
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: ''
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- returned 13
2023-05-04 15:59:14,697 fail2ban.actions [926326]: ERROR Failed to execute ban jail 'postfix' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '110.232.253.199', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f62adbef9d0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f62adbf10d0>})': Error starting action Jail('postfix')/firewallcmd-ipset: 'Script error'
2023-05-04 15:59:14,697 fail2ban.actions [926326]: NOTICE [postfix] Restore Ban 110.235.0.0/16
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- exec: ipset create f2b-postfix-sasl hash:ip timeout 0
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo '0-65535' | sed s/:/-/g)" -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: 'ipset v7.10: Set cannot be created: set with the same name already exists'
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables): invalid port/service `0-65535' specified"
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: 'Error occurred at line: 2'
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: ''
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- returned 13
2023-05-04 15:59:15,042 fail2ban.actions [926326]: ERROR Failed to execute ban jail 'postfix-sasl' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '159.224.213.97', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f62adbef9d0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f62adbf10d0>})': Error starting action Jail('postfix-sasl')/firewallcmd-ipset: 'Script error'
My apologies: Removed to avoid confusion…
add one filter to [postifx] jail in this case mode=auth:
filter = postfix[mode=auth]
then restart fail2ban & firewall
sudo systemctl restart fail2ban
sudo systemctl restart firewalld (CentOS/Rocky Linux)
run following command then write down last banned ip
fail2ban-server status postfix
Check the mail log for that ip (replace 8.8.8.8) with the last banned ip.
sudo grep -i "8.8.8.8" /var/log/maillog | tail -20
My apologies: Removed to avoid confusion…
It is correct port is need:
port = smtp,465,submission,imap,imaps,pop3,pop3s
and filter can any of the following: mode=auth or mode=ddos or mode=normal or mode=rbl
filter = postfix[mode=auth]
My apologies: Removed to avoid confusion…
My apologies: Removed to avoid confusion…
My apologies: Removed to avoid confusion…
I didn’t know that, do you have any documentation about it?
My apologies: Removed to avoid confusion…