Fail2ban Default Problem

Joe · May 4, 2023, 9:48pm

Fail2ban is merely an added layer of protection. Misconfiguring it doesn’t make you “vulnerable to attacks”, as long as your services are up to date and your passwords are solid. Obviously, it’s nice to have layers of protection. But, it’s not a reason to panic if fail2ban is acting weird for a bit.

Joe · May 4, 2023, 9:50pm

I’m seeing a lot of people trying to change the subject in this thread. This thread is 61 comments long; please don’t make it even longer by introducing a bunch of new stuff to talk about.

At this point, I have no idea what the problem is or the current state of it.

LuigiMdg · May 5, 2023, 10:13am

Still…?
It’s not about fail2ban strange behavior but about several IPs that have hacked the server and have been sending spam emails for several days now.
Even that is not clear yet…?

jimr1 · May 5, 2023, 11:02am

why did post 1 say this then ?

LuigiMdg · May 5, 2023, 3:09pm

Sorry but I don’t follow you…
This was an introduction to the problem, then since you said it wasn’t something to worry about, I detailed the problem.

Joe · May 5, 2023, 3:18pm

I’m not telling you to not fix the problem.

I’m telling folks in this thread to calm down and focus on the specific issue. But, also, this thread is so long and chaotic, I’m confused about what problem we’re trying to solve.

unborn · May 5, 2023, 5:44pm

Hi, what time zone you’re? I’m UK, I would like to have look with you on this one. I’m also pure Debian and write my own f2b rules and changed those which did not work since Debian 9. If you want we can do Google meeting call where you and I can share screen if you want. I would like to see also firewall etc. I wouldn’t try to post any regex here as it might be too complex for understanding but speaking in person can accomplish simplicity and time saving. Let me know, however I am free only weekends. I wouldn’t be too upset 66 times replied and still not solved means a bit wasted time. Let’s sort the issue.

LuigiMdg · May 5, 2023, 7:40pm

Me too, but I don’t think I made a mistake, there was a discrepancy between those who tried to help me, I’m just trying to follow what is ‘implied’ to me…

LuigiMdg · May 5, 2023, 7:42pm

That would be perfect, so I’m sure we’ll be able to fix it in 10 minutes…
But do you happen to have Skype so I already have it installed…?

ID10T · May 5, 2023, 7:47pm

That’s why I said to ban those IP’s directly. Then everything calms down and makes working on the root cause easier.

ID10T:

Do you know the IP address they are using? If so do this from the command line for a quick fix.

For a single IP (of course you change the IP):
firewall-cmd  --add-rich-rule="rule family='ipv4' source address='103.125.190.102' drop"
For a block of IP’s (Again changing the IP):
firewall-cmd  --add-rich-rule="rule family='ipv4' source address='141.98.11.0/24' drop"

Everything is more clear when you aren’t putting out a raging fire.

LuigiMdg · May 5, 2023, 9:05pm

I’m doing this every day, but we’re talking about tens, hundreds of IPs a day. Do you think it’s normal to do it manually?

LuigiMdg · May 7, 2023, 11:30am

I have set the limit to 10 mails per day, on the whole server, but they continue to send hundreds, thousands of spam mails per day.

Joe · May 7, 2023, 5:18pm

What does fail2ban have to do with spam? Fail2ban can’t really solve spam…spammers are not authenticating to your mail server because they are sending mail to users on your sererv, thus there will never be auth failures for fail2ban to block on.

Spam is (generally) addressed by SpamAssassin, optionally greylisting, and maybe some other policies you might choose to implement.

Joe · May 7, 2023, 5:25pm

To be clear, I’m saying if you want to talk about stopping spam, start a new topic, because this aint it. This is about fail2ban, and has basically nothing to do with stopping incoming spam.

LuigiMdg · May 7, 2023, 6:52pm

More than anything, it seems to me that there are problems of understanding here…
Spam is not incoming but outgoing!

stefan1959 · May 7, 2023, 9:18pm

Outgoing needs authentication on the server (else some script has been put on the server) also you should see a queue as you would get alot of rejects.

Joe · May 8, 2023, 2:40am

Outgoing spam has even less to do with fail2ban.

If the sender of the spam is local (i.e. an exploited web application or a compromised user, or a legitimate user doing illegitimate things), they do not authenticate and fail2ban rules can never apply to them.

If the sender of the spam is remote, their authentication is succeeding and would never be blocked by fail2ban (I know the authentication has to be succeeding, because in a default Virtualmin configuration, Postfix would not be configured as an open relay).

So…outgoing spam is not going to be solved or even mitigated by fail2ban. You’re focusing on something wholly irrelevant to the problem of outgoing spam.

LuigiMdg · May 8, 2023, 9:36am

Indeed yes, a queue is created in Postfix… And from there I realize that they are spamming, so I manually ban with Fail2ban, filtering the IPs from the mail.log

LuigiMdg · May 8, 2023, 9:38am

So is there a configuration problem in Postfix…? Show me the way to go

rony · May 8, 2023, 10:06am

First of all. Use pflogsumm to identify the address or addresses that send the most mail. It is likely that spammers address will be among them. This is a start. And then the long distance running begins .