Fail2ban not banning

Dim_Git · May 26, 2022, 5:29am

OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17 Pro

Hi all,

I have been struggling with this for months. I keep having another dig around but find nothing helpful so I leave it to return to later. Still no result.

In fail2ban logs I have noticed that some IPs keep reappearing time after time like this

2022-05-23 18:48:53,805 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:48:53
2022-05-23 18:48:56,891 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:48:56
2022-05-23 18:49:03,404 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:49:03
2022-05-23 18:49:03,777 fail2ban.actions [1170]: WARNING [proftpd] 193.169.255.38 already banned
2022-05-24 11:10:28,880 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:28
2022-05-24 11:10:35,569 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:35
2022-05-24 11:10:42,106 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:42
2022-05-24 11:10:42,182 fail2ban.actions [1170]: WARNING [proftpd] 193.169.255.38 already banned
2022-05-24 23:03:17,409 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 23:03:17
2

The “already banned” shows that the attacker is able to continue even when banned by Fail2ban.

At one stage I set up a manual jail to ban these IP numbers for two months but that doesn’t actually ban then either.

I have not changed any of the IPtables setup. Searching online for this problem results in many checks that simply don’t coincide with what I see so maybe they are for a different distro or whatever (does Virtualmin do it differently?) . I have now ground to a halt and don’t know where to try next.

Since any messing around with FTP will impact no users on this server I have been playing with that.

My jail.local entry is

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data
maxretry = 3
ignoreip = XXX.XXX.XXX.XXX 127.0.0.1
bantime = 604800

I would like to ban ALL approaches to any IP number that gets banned not just the service that initiates the ban.

I am lost as to how to proceed so would be grateful for any guidance.

Thanks.

Ilia · May 26, 2022, 8:29pm

Hello,

Try running systemctl restart firewalld, as applying its configuration doesn’t work properly with fail2ban. Webmin 1.994 will do it for you.

Also, you really need to upgrade to the latest Webmin 1.994 and Virtualmin 7.1.

Dim_Git · May 27, 2022, 5:16am

HI Illia,

Many thanks for your help, much appreciated.

My apologies though. Without thinking I copied/pasted the system info from a previous post. The versions are currently Webmin version: 1.991 and Virtualmin version: 7 Pro. Agreed that it should still be updated but I didn’t want to do so whilst playing with the system in case something went wrong and I wouldn’t know if the update was responsible or something I did.

Anyway, I did run ‘systemctl restart firewalld’ and the FTP attempts seem to have abated (or maybe it has worked) though other services continue to show ‘already banned’ which seems to suggest that the problem continues.

I will monitor it and update here later.

I do hope that all is going well in your new home, thoughts are with you.

Tim

Dim_Git · May 27, 2022, 6:32am

Hi again,

I have just checked the Fail2ban logs and see that although the previous IP number has gone away there are still “already banned” messages there as below

2022-05-27 06:22:05,600 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:05
2022-05-27 06:22:08,142 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:08
2022-05-27 06:22:09,726 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:09
2022-05-27 06:22:09,738 fail2ban.actions [1582]: WARNING [proftpd] 103.164.194.34 already banned
2022-05-27 06:22:11,340 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:11
2022-05-27 06:22:12,919 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:12
2022-05-27 06:22:14,511 fail2ban.filter [1582]: INFO [proftpd] Found 103.164.194.34 - 2022-05-27 06:22:14
2022-05-27 06:22:14,946 fail2ban.actions [1582]: WARNING [proftpd] 103.164.194.34 already banned

Other services also show the same ‘already banned’ warning

I have not yet updated the versions so still running
Webmin version: 1.991
Virtualmin version: 7 Pro
I think that upgrade will need a reboot so I am reluctant to do that update until the early hours of tomorrow morning when it will impact few users.

Ilia · May 27, 2022, 8:22am

Upgrading packages never require a reboot. Upgrading Kernel does.

However, sometimes rebooting a system can be an easy way to solve possible packages post-upgrade issue, although it’s never required.

Does it show an IP blocked but it actually not blocked?

Did you try restarting fail2ban service as well?

Dim_Git · May 27, 2022, 10:27am

Thanks for clarifying the reboot thing.

Yes, there are logs showing a ban before further attempts and then “alreay banned”. Here are some Fail2ban logs but for postfix.

2022-05-27 09:45:34,360 fail2ban.actions [1582]: NOTICE [postfix-sasl] Ban 5.34.207.156
2022-05-27 09:45:37,134 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:45:37
2022-05-27 09:45:39,680 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:45:39
2022-05-27 09:45:42,177 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:45:42
2022-05-27 09:45:42,330 fail2ban.actions [1582]: NOTICE [postfix-sasl] 5.34.207.156 already banned
2022-05-27 09:55:42,491 fail2ban.actions [1582]: NOTICE [postfix-sasl] Unban 5.34.207.156
2022-05-27 09:55:55,537 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:55:55
2022-05-27 09:55:57,880 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:55:57
2022-05-27 09:55:59,731 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:55:59
2022-05-27 09:55:59,955 fail2ban.actions [1582]: NOTICE [postfix-sasl] Ban 5.34.207.156
2022-05-27 09:56:02,186 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:56:02
2022-05-27 09:56:04,738 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:56:04
2022-05-27 09:56:06,172 fail2ban.filter [1582]: INFO [postfix-sasl] Found 5.34.207.156 - 2022-05-27 09:56:06
2022-05-27 09:56:06,508 fail2ban.actions [1582]: NOTICE [postfix-sasl] 5.34.207.156 already banned

The postfix-sasl jail is configured to ban after 3 fails in 10 minutes for a period of 10 minutes.

I have restarted fail2ban each time I have edited the settings.

Thanks for your ongoing efforts.

Dim_Git · May 28, 2022, 4:28am

This morning I upgraded the server to the latest (there was a kernel update too) .

I see the same symptoms still.

Why I didn’t think of it before I don’t know but I checked another server (virtual server) that only runs as a secondary nameserver so has fewer services running and I see the same issue there. IPs being banned but not blocked.

paulM · June 1, 2022, 4:26pm

I run fail2ban successfully for a few years now. Start by checking your firewall log to verify the IP is being correctly blocked. Fail2ban won’t show an error if the firewall script doesn’t ban the IP. the firewall log will be in the same directory as you fail2ban log probably.

Dim_Git · June 2, 2022, 2:51am

Many thanks PaulM.
You are correct, the logs are in the same place.

I have looked at /var/log/firewalld and I see that there have been no new entries for 5 days.

Fail2ban log has lots of bans in that time.

The last two lines of the firewall log show this

WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.

I am assuming that is not the cause of this issue and am still lost as to how to progress this. I will do some more digging.

Thanks again.

Dim_Git · June 3, 2022, 5:57am

This is all very confusing even after reading for some hours online I still don’t understand iptables etc. I’m getting to the stage where I’m going to have to ask @staff to help.

/var/log/firewalld has not changed sice my reply above.

If I run “iptables -L -n” I see the following

Chain IN_public_deny (1 references) (hundreds of lines)
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:587 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:110 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable

Which I thought meant that the ip number 104.208.97.142 was blocked from accessing the server but if I look at fail2ban logs I see the following for that IP.

2022-06-03 04:41:21,894 fail2ban.actions [1203]: NOTICE [postfix-sasl] Ban 104.208.97.142
2022-06-03 04:51:21,922 fail2ban.actions [1203]: NOTICE [postfix-sasl] Unban 104.208.97.142
2022-06-03 04:52:12,163 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 04:52:12
2022-06-03 04:54:21,859 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 04:54:21
2022-06-03 04:56:32,075 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 04:56:32
2022-06-03 04:56:32,625 fail2ban.actions [1203]: NOTICE [postfix-sasl] Ban 104.208.97.142
2022-06-03 05:06:32,415 fail2ban.actions [1203]: NOTICE [postfix-sasl] Unban 104.208.97.142
2022-06-03 05:07:22,691 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 05:07:22
2022-06-03 05:09:32,524 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 05:09:32
2022-06-03 05:11:42,415 fail2ban.filter [1203]: INFO [postfix-sasl] Found 104.208.97.142 - 2022-06-03 05:11:42
2022-06-03 05:11:42,895 fail2ban.actions [1203]: NOTICE [postfix-sasl] Ban 104.208.97.142

I am under the understanding that once an IP is banned there should be no more mentions of the IP number until it is unbanned. Please correct if wrong.

I have noticed that there is no “action” specified in Webmin> Networking > Fail2ban > Filter Action Jails and I cannot find any default action in any of the Fail2Ban files. Perhaps I am not finding it so where should that be ?

Any help and guidance greatfully received.

Thanks for reading.
Tim

Jamie · June 3, 2022, 6:27am

Maybe it is banned on only some ports, but connections are still coming in on other ports?

Dim_Git · June 3, 2022, 6:47am

Thanks Jamie,

I have assumed that in the iptables -L -n the first line

REJECT tcp – 104.208.97.142 0.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable

means that the IP number is blocked for port 25 and that

2022-06-03 04:41:21,894 fail2ban.actions [1203]: NOTICE [postfix-sasl] Ban 104.208.97.142

means that postfix-sasl (using port 25?) should be blocked/banned but the attempts continue.

I guess I am missing something.

Jamie · June 4, 2022, 6:37pm

Yes, that should be blocked then.

I wonder if maybe the IPtables rules aren’t being applied in the correct order? Can you attach the output of iptables-save to this bug report?

Dim_Git · June 5, 2022, 5:24am

Many thanks Jamie,

Here is the output requested -

# Generated by iptables-save v1.4.21 on Sun Jun  5 05:18:23 2022
*nat
:PREROUTING ACCEPT [1103309:70739407]
:INPUT ACCEPT [735432:48481223]
:OUTPUT ACCEPT [1711587:122628903]
:POSTROUTING ACCEPT [1711587:122628903]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o em1 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jun  5 05:18:23 2022
# Generated by iptables-save v1.4.21 on Sun Jun  5 05:18:23 2022
*mangle
:PREROUTING ACCEPT [13831528:5934094001]
:INPUT ACCEPT [13831528:5934094001]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13727619:8150284812]
:POSTROUTING ACCEPT [13727619:8150284812]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jun  5 05:18:23 2022
# Generated by iptables-save v1.4.21 on Sun Jun  5 05:18:23 2022
*security
:INPUT ACCEPT [13395636:5908952397]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13727625:8150285052]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sun Jun  5 05:18:23 2022
# Generated by iptables-save v1.4.21 on Sun Jun  5 05:18:23 2022
*raw
:PREROUTING ACCEPT [13831528:5934094001]
:OUTPUT ACCEPT [13727619:8150284812]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jun  5 05:18:23 2022
# Generated by iptables-save v1.4.21 on Sun Jun  5 05:18:23 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [777:385764]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i em1 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o em1 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i em1 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 10000:10100 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_deny -s 1.116.117.214/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 1.22.231.87/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 101.200.124.98/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 101.43.65.147/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 103.145.254.221/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 1.2.252.3/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 104.168.24.158/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 106.246.250.154/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 1.220.185.149/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 107.172.55.241/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 107.174.170.158/32 -p tcp -m tcp -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 1.234.58.214/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 176.113.115.82/32 -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 176.113.115.82/32 -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 176.113.115.82/32 -p tcp -m tcp --dport 990 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 176.113.115.82/32 -p tcp -m tcp --dport 989 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable

There are hundreds of lines very similar (just IP number changed I think) but here is the ending

-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 36.103.240.241/32 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.246/32 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 5.34.207.156/32 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Jun  5 05:18:24 2022

Obviously I am happy to paste the entire report if needed.

Thanks again

Jamie · June 8, 2022, 4:56am

Are some of those IPs in the IN_public_deny lines the ones that fail2ban has banned?

Also, are you also using FirewallD to manage your firewall?

Dim_Git · June 8, 2022, 6:55am

Jamie:

Are some of those IPs in the IN_public_deny lines the ones that fail2ban has banned?

Yes they are. here is a short sample of one of them

fail2ban log
2022-06-08 06:25:41,139 fail2ban.actions        [30218]: NOTICE  [postfix-sasl] Ban 87.246.7.229
2022-06-08 06:35:40,956 fail2ban.actions        [30218]: NOTICE  [postfix-sasl] Unban 87.246.7.229
2022-06-08 06:35:55,643 fail2ban.filter         [30218]: INFO    [postfix-sasl] Found 87.246.7.229 - 2022-06-08 06:35:55
2022-06-08 06:36:08,913 fail2ban.filter         [30218]: INFO    [postfix-sasl] Found 87.246.7.229 - 2022-06-08 06:36:08
2022-06-08 06:36:23,640 fail2ban.filter         [30218]: INFO    [postfix-sasl] Found 87.246.7.229 - 2022-06-08 06:36:23
2022-06-08 06:36:24,364 fail2ban.actions        [30218]: NOTICE  [postfix-sasl] Ban 87.246.7.229
2022-06-08 06:46:24,032 fail2ban.actions        [30218]: NOTICE  [postfix-sasl] Unban 87.246.7.229
2022-06-08 06:46:36,624 fail2ban.filter         [30218]: INFO    [postfix-sasl] Found 87.246.7.229 - 2022-06-08 06:46:36
2022-06-08 06:46:50,649 fail2ban.filter         [30218]: INFO    [postfix-sasl] Found 87.246.7.229 - 2022-06-08 06:46:50

iptables-save output
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable
-A IN_public_deny -s 87.246.7.229/32 -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j REJECT --reject-with icmp-port-unreachable

Also, are you also using FirewallD to manage your firewall?

I am not at all knowledgeable about the firewall so I leave it exactly as was setup during install of VM. Too scary

I am not aware how to definitively prove that but is this enough ?

Thanks for your ongoing support.

Dim_Git · June 9, 2022, 4:06am

Happy to give you access to the server if that makes life easier.

Ilia · June 10, 2022, 12:34pm

What about applying it all interfaces and manually restarting fail2ban and firewalld, like:

systemctl restart fail2ban
systemctl restart firewalld

Dim_Git · June 10, 2022, 1:36pm

Thanks Illia,

I am very reluctant (ok. scared) to just go digging around and trying things at this stage without defined directions.

Not sure about "What about applying it all interfaces " so need a little direction. I have looked in the Fail2ban part of Webmin but I don’t see anything that suggests “all interfaces”. Sorry to be a pain but some further direction is needed.

I did restart fail2ban and firewalld though I don’t expect any change (the server was rebooted 13 days ago due to kernal update) and will post back here in the unlikely event of any change.

This is on a dedicated server but I have another, a virtual server (same OS and versions) which is running GPL and only used as a secondary name server. That displays the same issues.

Thanks for your continued efforts.

Ilia · June 10, 2022, 3:52pm

I referred to FirewallD option (on the main page).