530
October 10, 2022, 3:16pm
1
SYSTEM INFORMATION
OS type and version
CentOS 7 64bit
Virtualmin version
7.2
Webmin version
2.001
Hello everyone,
I have a problem on my server.
I have 2 ip’s trying to connect to my mail server.
A few lines from my mail.log:
Oct 10 14:23:11 530 postfix/smtpd[14530]: warning: unknown[212.70.149.68]: SASL LOGIN authentication failed: authentication failure
Oct 10 14:23:12 530 postfix/smtpd[16505]: warning: unknown[5.34.207.107]: SASL LOGIN authentication failed: authentication failure
Oct 10 14:23:12 530 postfix/smtpd[14530]: disconnect from unknown[212.70.149.68]
Oct 10 14:23:12 530 postfix/smtpd[16505]: disconnect from unknown[5.34.207.107]
Oct 10 14:23:15 530 postfix/smtpd[17261]: connect from unknown[5.34.207.107]
Oct 10 14:23:15 530 postfix/smtpd[17261]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Oct 10 14:23:16 530 postfix/smtpd[18128]: connect from unknown[5.34.207.107]
Oct 10 14:23:16 530 postfix/smtpd[18128]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Oct 10 14:23:16 530 postfix/smtpd[16505]: connect from unknown[5.34.207.107]
Oct 10 14:23:16 530 postfix/smtpd[16505]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Oct 10 14:23:17 530 postfix/smtpd[18123]: warning: unknown[5.34.207.107]: SASL LOGIN authentication failed: authentication failure
And I don’t understand why my fail2ban doesn’t work, since it seems that the IPs are blacklisted. Here are some lines from my fail2ban.log
2022-10-10 14:29:46,381 fail2ban.actions [417]: WARNING [postfix-sasl] 5.34.207.107 already banned
2022-10-10 14:29:46,515 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:46
2022-10-10 14:29:47,268 fail2ban.filter [417]: INFO [postfix-sasl] Found 212.70.149.68 - 2022-10-10 14:29:47
2022-10-10 14:29:49,002 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:48
2022-10-10 14:29:49,766 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:49
2022-10-10 14:29:52,124 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:50
2022-10-10 14:29:59,021 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:51
2022-10-10 14:29:59,022 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:52
2022-10-10 14:29:59,055 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:54
2022-10-10 14:29:59,058 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:54
2022-10-10 14:29:59,076 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:56
2022-10-10 14:29:59,086 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:58
2022-10-10 14:29:59,086 fail2ban.filter [417]: INFO [postfix-sasl] Found 5.34.207.107 - 2022-10-10 14:29:58
2022-10-10 14:29:59,593 fail2ban.actions [417]: WARNING [postfix-sasl] 5.34.207.107 already banned
2022-10-10 14:29:59,593 fail2ban.actions [417]: WARNING [postfix-sasl] 5.34.207.107 already banned
Do you know how to fix this?
@530 ,
A common issue for fail2ban rules not being used correctly are that the software is incorrectly configured to write the wrong type of firewall rules. If you run iptables, make sure it’s using iptables rules, and if you are using firewalld make sure it’s using rules for that. Detection of an issue is only the first half of what fail2ban does, so if it’s improperly configured it won’t actually protect.
On a side note, it’s also possible that the block time is too short, so it gets blocked for say a few minutes then unblocked. Adjust accordingly on a per rule basis, or globally.
*** Professional, Affordable, Trusted Technical Assistance – tpnAssist.com ***
1 Like
530
October 11, 2022, 8:46am
3
Normally my firewalId is disabled.
But I don’t know how to check for IPtables.
fabi
October 11, 2022, 10:27am
4
@530
Hi there,
now you have your answer. If firewalld is disabled, Fail2Ban can not apply the correct rules (actually, it can not apply any rule) to ban an IP.
You disabled your Firewall? That’s actually not a good idea to operate your server without any…
@530 ,
Send a screenshot of “Linux Firewall” screen… If that is enabled you don’t need to enable FirewallD as they do the same thing just in a different way.
Assuming Linux Firewall (aka iptables) is running and configured, the next step would be to potentially adjust the fail2ban rules to create the correct firewall rules.
530
October 11, 2022, 12:59pm
6
Thank you for your answers.
Here is my linux firewall:
jimr1
October 12, 2022, 2:01pm
7
Looks like the firewall is not running to me I only see the bottom box activate at reboot when it’s not running & switched off no wonder fail2ban fails
530
October 13, 2022, 11:12am
8
so I set activate at boot to on.
I did Apply configuration.
But now I have no access at all to the webmin, or even to the front of my website. Even after rebooting the VPS.
However via ssh my webmin indicates an active status.
jimr1
October 13, 2022, 11:36am
9
sounds like you have banned yourself
jimr1
October 13, 2022, 11:42am
10
use fail2ban-client to remove your IP from the jails that are being blocked
use fail2ban-client status
to find running jails then use
fail2ban-client status <jail name>
then see if your IP is in the ban list for whichever jail and then remove it
530
October 13, 2022, 12:58pm
11
there is only the sshd jail that has banned ip.
But in list there is not mine.
I tried to access my site via my phone to have another ip and it is inaccessible too.
I have disabled my firewall via ssh:
iptables stop service
and everything is working again.
So there is something wrong with the settings but I can’t figure out what.
Ilia
October 13, 2022, 2:43pm
12
This shouldn’t be the case if Virtualmin was installed using an official installer.
The possible fix is:
service iptables stop
yum remove iptables-services
virtualmin-config-system -i=Fail2banFirewalld
When done, check if FirewallD is running:
systemctl status firewalld
… and restart fail2ban
just in case:
systemctl restart fail2ban
530
October 13, 2022, 3:21pm
13
Thank you for solving this problem.
But in my fail2ban log file I still have a lot of lines like this:
2022-10-13 15:15:44,971 fail2ban.filter [19080]: INFO [postfix-sasl] Found 87.246.7.77 - 2022-10-13 15:15:44
2022-10-13 15:15:45,472 fail2ban.actions [19080]: NOTICE [postfix-sasl] Restore Ban 5.34.207.85
2022-10-13 15:15:45,841 fail2ban.actions [19080]: NOTICE [sshd] Restore Ban 167.71.253.237
2022-10-13 15:15:46,296 fail2ban.filter [19080]: INFO [postfix-sasl] Found 5.34.207.88 - 2022-10-13 15:15:46
2022-10-13 15:15:48,343 fail2ban.actions [19080]: NOTICE [postfix-sasl] Restore Ban 5.34.207.88
2022-10-13 15:15:48,547 fail2ban.filter [19080]: INFO [postfix-sasl] Found 212.70.149.68 - 2022-10-13 15:15:48
2022-10-13 15:15:48,708 fail2ban.actions [19080]: NOTICE [sshd] Restore Ban 178.128.215.16
2022-10-13 15:15:51,365 fail2ban.actions [19080]: NOTICE [postfix-sasl] Restore Ban 87.246.7.77
2022-10-13 15:15:51,780 fail2ban.actions [19080]: NOTICE [sshd] Restore Ban 186.206.150.168
2022-10-13 15:15:53,665 fail2ban.filter [19080]: INFO [postfix-sasl] Found 5.34.207.88 - 2022-10-13 15:15:53
2022-10-13 15:15:55,080 fail2ban.actions [19080]: NOTICE [sshd] Restore Ban 92.36.152.126
2022-10-13 15:15:59,185 fail2ban.filter [19080]: INFO [postfix-sasl] Found 87.246.7.77 - 2022-10-13 15:15:59
Ilia
October 13, 2022, 3:23pm
14
What is wrong with these lines? It looks expected.
530
October 13, 2022, 3:43pm
15
Ha ok, thanks a lot.
As I have new logs again every second I thought I was still having incessant attacks.
system
Closed
October 21, 2022, 3:44pm
16
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.