Fail2Ban

Discussion in 'ISPConfig 3 Priority Support' started by Dextros, Oct 15, 2018.

  1. Dextros

    Dextros Member HowtoForge Supporter

    Hi Guys
    I just realised that my sub wasnt active!
    Now thats fixed, i have a problem.

    F2B does not appear to be blocking IPs.
    https://i.imgur.com/nWbNrSl.png
    I have manaually added these into iptables, and they are still not dropping.

    What can I look into?

    KRs

    Lee
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do any blocks get listed in fail2ban.log? If yes, for which services?
    Any errors in fail2ban.log file when you restart fail2ban?
    And finally, which Linux Distribution do you use?
     
  3. Dextros

    Dextros Member HowtoForge Supporter

    Hi Till

    Thanks for coming back to me

    Code:
    2018-10-14 06:27:29,373 fail2ban.actions[6457]: WARNING [ssh] Ban 139.99.130.143
    2018-10-14 06:37:30,014 fail2ban.actions[6457]: WARNING [ssh] Unban 139.99.130.143
    2018-10-14 06:46:59,622 fail2ban.actions[6457]: WARNING [ssh] Ban 139.99.130.143
    2018-10-14 06:57:00,269 fail2ban.actions[6457]: WARNING [ssh] Unban 139.99.130.143
    2018-10-14 07:06:54,901 fail2ban.actions[6457]: WARNING [ssh] Ban 139.99.130.143
    2018-10-14 07:16:55,539 fail2ban.actions[6457]: WARNING [ssh] Unban 139.99.130.143
    2018-10-14 07:55:12,953 fail2ban.actions[6457]: WARNING [ssh] Ban 139.99.130.143
    2018-10-14 08:05:13,586 fail2ban.actions[6457]: WARNING [ssh] Unban 139.99.130.143
    2018-10-14 11:14:57,499 fail2ban.actions[6457]: WARNING [pureftpd] Ban 103.208.220.131
    2018-10-14 11:19:21,817 fail2ban.actions[6457]: WARNING [ssh] Ban 77.72.82.39
    2018-10-14 11:24:58,142 fail2ban.actions[6457]: WARNING [pureftpd] Unban 103.208.220.131
    2018-10-14 11:29:22,459 fail2ban.actions[6457]: WARNING [ssh] Unban 77.72.82.39
    2018-10-14 11:30:37,546 fail2ban.actions[6457]: WARNING [ssh] Ban 103.208.220.131
    2018-10-14 11:40:38,192 fail2ban.actions[6457]: WARNING [ssh] Unban 103.208.220.131
    2018-10-14 17:02:00,469 fail2ban.actions[6457]: WARNING [ssh] Ban 5.39.67.11
    2018-10-14 17:12:01,113 fail2ban.actions[6457]: WARNING [ssh] Unban 5.39.67.11
    2018-10-14 17:12:29,151 fail2ban.actions[6457]: WARNING [ssh] Ban 5.39.67.11
    2018-10-14 17:22:29,794 fail2ban.actions[6457]: WARNING [ssh] Unban 5.39.67.11
    2018-10-14 17:32:42,332 fail2ban.actions[6457]: WARNING [pureftpd] Ban 92.222.16.136
    2018-10-14 17:42:42,974 fail2ban.actions[6457]: WARNING [pureftpd] Unban 92.222.16.136
    2018-10-14 19:16:34,900 fail2ban.actions[6457]: WARNING [pureftpd] Ban 37.187.50.163
    2018-10-14 19:26:35,544 fail2ban.actions[6457]: WARNING [pureftpd] Unban 37.187.50.163
    2018-10-14 20:12:17,424 fail2ban.actions[6457]: WARNING [pureftpd] Ban 180.250.152.22
    2018-10-14 20:22:18,062 fail2ban.actions[6457]: WARNING [pureftpd] Unban 180.250.152.22
    2018-10-14 21:32:57,528 fail2ban.actions[6457]: WARNING [pureftpd] Ban 160.153.153.15
    2018-10-14 21:42:58,178 fail2ban.actions[6457]: WARNING [pureftpd] Unban 160.153.153.15
    2018-10-14 22:39:15,779 fail2ban.actions[6457]: WARNING [ssh] Ban 42.7.27.165
    2018-10-14 22:49:16,421 fail2ban.actions[6457]: WARNING [ssh] Unban 42.7.27.165
    2018-10-15 02:28:43,162 fail2ban.actions[6457]: WARNING [pureftpd] Ban 103.221.221.122
    2018-10-15 02:38:43,819 fail2ban.actions[6457]: WARNING [pureftpd] Unban 103.221.221.122
    2018-10-15 02:48:13,422 fail2ban.actions[6457]: WARNING [pureftpd] Ban 192.169.217.57
    2018-10-15 02:58:14,062 fail2ban.actions[6457]: WARNING [pureftpd] Unban 192.169.217.57
    2018-10-15 03:08:35,725 fail2ban.actions[6457]: WARNING [pureftpd] Ban 199.188.200.86
    2018-10-15 03:18:36,372 fail2ban.actions[6457]: WARNING [pureftpd] Unban 199.188.200.86
    2018-10-15 07:43:10,025 fail2ban.actions[6457]: WARNING [ssh] Ban 112.85.42.233
    2018-10-15 07:53:10,670 fail2ban.actions[6457]: WARNING [ssh] Unban 112.85.42.233
    2018-10-15 07:57:45,969 fail2ban.actions[6457]: WARNING [ssh] Ban 90.84.246.11
    2018-10-15 08:07:46,608 fail2ban.actions[6457]: WARNING [ssh] Unban 90.84.246.11
    2018-10-15 11:52:44,748 fail2ban.actions[6457]: WARNING [ssh] Ban 112.85.42.193
    2018-10-15 12:02:45,388 fail2ban.actions[6457]: WARNING [ssh] Unban 112.85.42.193
    2018-10-15 12:09:33,799 fail2ban.actions[6457]: WARNING [dovecot-pop3imap] Ban 37.49.225.190
    2018-10-15 12:19:34,402 fail2ban.actions[6457]: WARNING [dovecot-pop3imap] Unban 37.49.225.190
    2018-10-15 12:35:17,347 fail2ban.actions[6457]: WARNING [pureftpd] Ban 148.72.232.30
    2018-10-15 12:45:17,987 fail2ban.actions[6457]: WARNING [pureftpd] Unban 148.72.232.30
    2018-10-15 12:51:20,359 fail2ban.actions[6457]: WARNING [dovecot-pop3imap] Ban 185.112.249.141
    2018-10-15 13:01:20,996 fail2ban.actions[6457]: WARNING [dovecot-pop3imap] Unban 185.112.249.141
    2018-10-15 13:29:38,762 fail2ban.actions[6457]: WARNING [pureftpd] Ban 192.185.219.158
    2018-10-15 13:39:39,415 fail2ban.actions[6457]: WARNING [pureftpd] Unban 192.185.219.158
    2018-10-15 14:19:25,918 fail2ban.actions[6457]: WARNING [pureftpd] Ban 62.210.28.86
    2018-10-15 14:29:26,556 fail2ban.actions[6457]: WARNING [pureftpd] Unban 62.210.28.86
    2018-10-15 14:45:53,594 fail2ban.actions[6457]: WARNING [pureftpd] Ban 198.50.184.66
    
    This is the output when i restarted the service
    Code:
    2018-10-15 14:52:11,312 fail2ban.server [6457]: INFO    Stopping all jails
    2018-10-15 14:52:12,000 fail2ban.actions[6457]: WARNING [pureftpd] Unban 198.50.184.66
    2018-10-15 14:52:12,015 fail2ban.jail   [6457]: INFO    Jail 'pureftpd' stopped
    2018-10-15 14:52:12,953 fail2ban.jail   [6457]: INFO    Jail 'dovecot-pop3imap' stopped
    2018-10-15 14:52:13,952 fail2ban.jail   [6457]: INFO    Jail 'ssh' stopped
    2018-10-15 14:52:13,953 fail2ban.server [6457]: INFO    Exiting Fail2ban
    2018-10-15 14:52:14,408 fail2ban.server [15778]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
    2018-10-15 14:52:14,408 fail2ban.jail   [15778]: INFO    Creating new jail 'ssh'
    2018-10-15 14:52:14,483 fail2ban.jail   [15778]: INFO    Jail 'ssh' uses pyinotify
    2018-10-15 14:52:14,507 fail2ban.jail   [15778]: INFO    Initiated 'pyinotify' backend
    2018-10-15 14:52:14,508 fail2ban.filter [15778]: INFO    Added logfile = /var/log/auth.log
    2018-10-15 14:52:14,509 fail2ban.filter [15778]: INFO    Set maxRetry = 6
    2018-10-15 14:52:14,510 fail2ban.filter [15778]: INFO    Set findtime = 600
    2018-10-15 14:52:14,511 fail2ban.actions[15778]: INFO    Set banTime = 600
    2018-10-15 14:52:14,544 fail2ban.jail   [15778]: INFO    Creating new jail 'dovecot-pop3imap'
    2018-10-15 14:52:14,544 fail2ban.jail   [15778]: INFO    Jail 'dovecot-pop3imap' uses pyinotify
    2018-10-15 14:52:14,549 fail2ban.jail   [15778]: INFO    Initiated 'pyinotify' backend
    2018-10-15 14:52:14,550 fail2ban.filter [15778]: INFO    Added logfile = /var/log/mail.log
    2018-10-15 14:52:14,550 fail2ban.filter [15778]: INFO    Set maxRetry = 5
    2018-10-15 14:52:14,551 fail2ban.filter [15778]: INFO    Set findtime = 600
    2018-10-15 14:52:14,551 fail2ban.actions[15778]: INFO    Set banTime = 600
    2018-10-15 14:52:14,555 fail2ban.jail   [15778]: INFO    Creating new jail 'pureftpd'
    2018-10-15 14:52:14,555 fail2ban.jail   [15778]: INFO    Jail 'pureftpd' uses pyinotify
    2018-10-15 14:52:14,559 fail2ban.jail   [15778]: INFO    Initiated 'pyinotify' backend
    2018-10-15 14:52:14,560 fail2ban.filter [15778]: INFO    Added logfile = /var/log/syslog
    2018-10-15 14:52:14,560 fail2ban.filter [15778]: INFO    Set maxRetry = 3
    2018-10-15 14:52:14,561 fail2ban.filter [15778]: INFO    Set findtime = 600
    2018-10-15 14:52:14,561 fail2ban.actions[15778]: INFO    Set banTime = 600
    2018-10-15 14:52:14,564 fail2ban.jail   [15778]: INFO    Jail 'ssh' started
    2018-10-15 14:52:14,565 fail2ban.jail   [15778]: INFO    Jail 'dovecot-pop3imap' started
    2018-10-15 14:52:14,566 fail2ban.jail   [15778]: INFO    Jail 'pureftpd' started
    
    And finally I am on Debain 8.
    KRs
    L
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You wrote:
    But the listing shows bans. Why do you assume fail2ban is not working?
     
  5. Dextros

    Dextros Member HowtoForge Supporter

    OK i will rephrase that. fail2ban doesnt appear to be blocking smtp failures.
     
    Last edited: Oct 16, 2018
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What did you write in /etc/fail2ban/jail.local?
     
  7. Dextros

    Dextros Member HowtoForge Supporter

    Hi Taleman

    See the output of /etc/fail2ban/jail.local

    Code:
    [dovecot-pop3imap]
    enabled = true
    filter = dovecot-pop3imap
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 5
    [pureftpd]
    enabled = true
    port = ftp
    filter = pureftpd
    logpath = /var/log/syslog
    maxretry = 3
    
    I would need to add something along the lines of a postfix filter in here?

    Unless there is a better way to do this, maybe within postfix?

    Thanks

    Lee
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You have to add rules for blocking on SMTP traffic to that file. Use Internet Search engines, there are promising hits.
     
  9. Dextros

    Dextros Member HowtoForge Supporter

    Thanks Taleman for pointing me in the right direction. Its now working like a charm :D
     

Share This Page