Fail2Ban Permanent Ban and other considerations / Ubuntu 18 Perfect Server

Discussion in 'General' started by FFG28, Nov 27, 2018.

  1. FFG28

    FFG28 Member

    Good Day:

    Before following the instructions below,

    https://www.howtoforge.com/community/threads/permanently-ban-an-ip.79457/

    I would like to ask if I would have issues with having different MaxRetry configurations and applying RECIDIVE:

    My Code
    Code:
    [pure-ftpd]
    enabled  = true
    port     = ftp
    filter   = pure-ftpd
    logpath  = /var/log/syslog
    maxretry = 3
    
    [dovecot]
    enabled = true
    filter = dovecot
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 5
    
    [postfix]
    enabled  = true
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 3
    
    [sshd]
    enabled = true
    port = ssh
    filter = sshd
    findtime = 600
    maxretry = 5
    bantime = 3600
    The offending IP is not from my group of users.

    Also, could somebody walk me through a SASL filter setup? Any other recommended filter as well?
    Note: This server is used only for IMAP and SMTP MAIL for not more than 30 users. We don't use FTP but it doesn't seem bad to leave that filter there.

    Cheers
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Mail users are authenticated by postfix trough dovecot, so failed smtp logins (sasl) should already be covered by the filters. Try if you get a ban when you login with wrong smtp password multiple times.
     
    FFG28 likes this.
  3. FFG28

    FFG28 Member


    Thank you Till:

    I was just reviewing my post before your answer and was going to add the following about the offending IP's

    Quote"
    The offending IP is not from my group of users. But it is from a server that I expect to receive mail from directed to my users (server is from another party an it should not be trying to relay with me if that should be the case).

    My Fail2Ban has been banning two SMTP servers from this party on the same public subnet (different by 1 on the 4th octect / x.x.x.190 and x.x.x.191) with the POSTFIX filter. How should I interpret this. I know the owner of the systems and could contact him if needed.
    "Un-quote

    Also, any comments on RECIDIVE?

    Thanks again.
     
    Last edited: Nov 27, 2018
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Different maxretry values for different jails is fine, and is the first thing you would likely change to tune a jail that eg. works fairly well but is a little too sensitive and catches legitimate traffic. I've used recidive (on debian, not ubuntu) and it works nicely, as long as your other jails are tuned decently. (If you're getting frequent matches for your legitimate users, eg. say typing in their password wrong or using wrong settings, then adding recidive will simply get them blocked for a very long time and likely result in a phone call rather than them fixing their config.)

    Look at /etc/fail2ban/filter.d/postfix.conf to see what log lines will be matched, and grep for their ip addrs in mail.log - that tells you what they're hitting on. You have maxretry=3 for postfix jail, so they get 3 hits in 10 minutes (by default) and they'll be blocked; likely you'll want to relax that a bit, and if you need to you can either ignore those ip addrs for the jail in your fail2ban jail, or you could exempt them from whatever check(s) they're hitting in postfix config if needed beyond that.

    From jail.local on a server here:
    Code:
    [postfix]
    
    enabled  = true
    port     = smtp,465,submission
    maxretry = 90
    findtime = 10800
    bantime  = 14400
    
     
    FFG28 likes this.
  5. FFG28

    FFG28 Member

    Good Day Jesse:

    Thank you for your comments. I believe I have found the problem and is related to an older post of mine where you helped me in solving a HELO-CHECK issue

    https://www.howtoforge.com/communit...strictions-with-ispconfig3.80384/#post-381659

    After your feedback, and as mentioned on that post, I went and gave PERMIT for the banner check of this particular IP's, but for some reason the /etc/postfix/helo_acces configuration went back to default a couple of days ago.

    Maybe an update of software!.

    I did run an update for ISPCONFIG a couple of days ago but Im not sure if this was what made the change. Could a POSTFIX update change this configuration? I need to make more tests. For the time being, Fail2Ban stopped banning the IP.

    Thanks again.
     
  6. Ispconfig update rewrites your Postfix config.
    For example :
    Code:
    inet_protocols = ipv4
    will be at each update replaced with
    Code:
     inet_protocols = all
     
    FFG28 likes this.
  7. FFG28

    FFG28 Member

    Thank you Electronico. Should I revise my complete default ISPCONFIG PERECT SERVER configuration INSTALL for other changes?

    Cheers
     
  8. You have modified parameters after ISPConfig install, it's up to you to keep them alive after each update.
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    That was it, you need to
    Code:
    wget -O  /usr/local/ispconfig/server/conf-custom/install/helo_access.master https://git.ispconfig.org/ispconfig/ispconfig3/raw/master/install/tpl/helo_access.master
    and make your same changes to /usr/local/ispconfig/server/conf-custom/install/helo_access.master. Same procedure goes for other config files, eg. debian_postfix.conf.master will preserve your postfix main.cf changes.

    Beware that when you update ispconfig, you will need to check for changes to those .master files yourself; there are occasionally changes within a point release (eg. 3.1.12 -> 3.1.13), but there are almost guaranteed to be changes in larger releases (3.1.x -> 3.2.x) which you'll need to determine and integrate (or just copy and modify the .master again).
     
    FFG28 likes this.
  10. FFG28

    FFG28 Member

    Thank you Jesse:

    I will follow your instructions.
     

Share This Page