Fail2ban and UFW on Debian

Discussion in 'Server Operation' started by mmdollar, Sep 7, 2017.

  1. mmdollar

    mmdollar Member

    Hello everyone, I have a problem with UFW and fail2ban working together. Probably I've messed up something in the configuration because of a lack of understanding. Ok so my problem is that when fail2ban detects a bruteforce on my mail server it "bans" the IP, but after checking the logs I can see that some IP's are still trying to log. My aim is when I see a bot trying to bruteforce me after 1 attemp to be banned for X time on all ports. Here is my jail.local configuration file for fail2ban:
    Code:
    [DEFAULT]
    bantime = 604800
    port=0:65535
    
    [dovecot]
    banaction = ufw
    enabled = true
    filter = dovecot
    logpath = /var/log/mail.log
    maxretry = 1
    findtime = 7200
    
    [postfix-sasl]
    banaction = ufw
    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 1
    findtime = 7200
    
    [sshd]
    banaction = ufw
    enabled = true
    port = 7080
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 2
    findtime = 7200
    This is my action configuration file for UFW located at /etc/fail2ban/action/ufw.conf :
    Code:
    [Definition]
    actionstart =
    actionstop =
    actioncheck =
    actionban = ufw deny from <ip> to any
    actionunban = ufw delete deny from <ip> to any
    This is how my postfix-sasl filter looks like:
    Code:
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    _daemon = postfix/smtpd
    
    # failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$
    
    # Author: Yaroslav Halchenko
    
    ignoreregex =
    Dovecot filter configuration file:
    Code:
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    _daemon = (auth|dovecot(-auth)?|auth-worker)
    
    failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
                ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowe$
                ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \$
                ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
                ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
    
    ignoreregex =
    
    [Init]
    
    journalmatch = _SYSTEMD_UNIT=dovecot.service
    When I enter ufw status (removed IP addresses I don't wanna name and shame):
    Code:
    [email protected]:/etc/fail2ban# ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    25/tcp                     ALLOW       Anywhere
    110/tcp                    ALLOW       Anywhere
    143/tcp                    ALLOW       Anywhere
    587/tcp                    ALLOW       Anywhere
    993/tcp                    ALLOW       Anywhere
    995/tcp                    ALLOW       Anywhere
    7080/tcp                   ALLOW       Anywhere
    224.0.0.1                  ALLOW       192.168.1.1
    Anywhere                   DENY        xxx.xx.xxx.xx
    Anywhere                   DENY        xxx.xxx.xx.xxx
    Anywhere                   DENY        xxx.xxx.xxx.xx
    Anywhere                   DENY        xxx.xxx.xxx.xx
    Anywhere                   DENY        xxx.xxx.xxx.xx
    Anywhere                   DENY        xxx.xxx.xxx.xx
    [...]
    In ISPConfig monitor when I click on Mail Warnings I see things like this all the time (removed IPs/Hostnames):
    Code:
    Sep  7 12:53:50 mail-1 postfix/smtpd[31719]: warning: unknown[xx.xxx.xxx.xxx]: SASL Login authentication failed: UGFzc3dvcmQ6
    Sep  7 12:55:50 mail-1 postfix/smtpd[31719]: warning: hostname example.com does not resolve to address xxx.xx.xxx.xxx
    In fail2ban log I see this:
    Code:
    2017-09-07 13:14:02,006 fail2ban.filter [960]: INFO [postfix-sasl] Found xxx.xx.xxx.xx
    2017-09-07 13:14:02,278 fail2ban.actions [960]: NOTICE [postfix-sasl] xxx.xx.xxx.xx already banned
    Well if guys/gals need more information, please ask and I will try to deliver. Thanks in advance for the help!
     

Share This Page