for those people who have their firewall & fail2ban out of sync, coded up a quick solution
fail2ban.zip (694 Bytes)
just unzip to /var/log and run php fb.php <jail-name>
if you omit the jail name the script will return all valid jails for you to choose from, I tend to use recidive but can use whatever jail to ban to.
Don’t forget this needs to be ran as root.
I don’t have a static IP
In the meantime, I’m sharing the jail.local, let me know if any changes are needed.
As for access, thank you but I prefer to keep track of every change.
In the meantime, I’m going to set limits on the mail server, I thought about it but then it slipped my mind, thanks
[sshd]
enabled = true
port = ssh
bantime = 12w
[webmin-auth]
enabled = true
port = 10000
bantime = 12w
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
bantime = 12w
[postfix]
enabled = true
bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 24 84 720 1000
findtime = 1d
bantime.maxtime = 12w
port = 0-65535
maxretry = 5
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
bantime = 12w
[postfix-sasl]
enabled = true
bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 24 84 720 1000
findtime = 1d
bantime.maxtime = 12w
port = 0-65535
maxretry = 5
Thanks, I’ll visualize it later and if I feel able, I’ll definitely give it a try
I confirm that if you unban everyone, Fail2ban resumes banning correctly, however IPs can continue to try, already banned IPs continue to appear in the fail2ban.log
I’ve this new errors:
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- exec: ipset create f2b-postfix hash:ip timeout 0
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo '0-65535' | sed s/:/-/g)" -m set --match-set f2b-postfix src -j REJECT --reject-with icmp-port-unreachable
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: 'ipset v7.10: Set cannot be created: set with the same name already exists'
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables): invalid port/service `0-65535' specified"
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: 'Error occurred at line: 2'
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- stderr: ''
2023-05-04 15:59:14,696 fail2ban.utils [926326]: ERROR 7f627d7c0160 -- returned 13
2023-05-04 15:59:14,697 fail2ban.actions [926326]: ERROR Failed to execute ban jail 'postfix' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '110.232.253.199', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f62adbef9d0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f62adbf10d0>})': Error starting action Jail('postfix')/firewallcmd-ipset: 'Script error'
2023-05-04 15:59:14,697 fail2ban.actions [926326]: NOTICE [postfix] Restore Ban 110.235.0.0/16
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- exec: ipset create f2b-postfix-sasl hash:ip timeout 0
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo '0-65535' | sed s/:/-/g)" -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: 'ipset v7.10: Set cannot be created: set with the same name already exists'
2023-05-04 15:59:15,041 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.7 (nf_tables): invalid port/service `0-65535' specified"
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: 'Error occurred at line: 2'
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- stderr: ''
2023-05-04 15:59:15,042 fail2ban.utils [926326]: ERROR 7f629c146530 -- returned 13
2023-05-04 15:59:15,042 fail2ban.actions [926326]: ERROR Failed to execute ban jail 'postfix-sasl' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '159.224.213.97', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f62adbef9d0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f62adbf10d0>})': Error starting action Jail('postfix-sasl')/firewallcmd-ipset: 'Script error'
My apologies: Removed to avoid confusion…
add one filter to [postifx] jail in this case mode=auth:
filter = postfix[mode=auth]
then restart fail2ban & firewall
sudo systemctl restart fail2ban
sudo systemctl restart firewalld (CentOS/Rocky Linux)
run following command then write down last banned ip
fail2ban-server status postfix
Check the mail log for that ip (replace 8.8.8.8) with the last banned ip.
sudo grep -i "8.8.8.8" /var/log/maillog | tail -20
My apologies: Removed to avoid confusion…
It is correct port is need:
port = smtp,465,submission,imap,imaps,pop3,pop3s
and filter can any of the following: mode=auth or mode=ddos or mode=normal or mode=rbl
filter = postfix[mode=auth]
My apologies: Removed to avoid confusion…
My apologies: Removed to avoid confusion…
My apologies: Removed to avoid confusion…
I didn’t know that, do you have any documentation about it?
My apologies: Removed to avoid confusion…
Changing the port won’t fix the problem, I want hackers banned on all ports.
ipset v7.10, protocol version: 7
My apologies: Removed to avoid confusion…
It’s already there by default, on every Webmin installation I’ve seen so far… But how long have you been using Linux?
My apologies: Removed to avoid confusion…
It was just to understand, relax…
I didn’t think it could lead to errors, now I try to restore the default or as you wrote above, then restart the services.
have you looked at CSF
https://configserver.com/configserver-security-and-firewall/
it will ban ip’s and counties