Relay access attempts

Discussion in 'Installation/Configuration' started by cat, Oct 6, 2008.

  1. cat

    cat New Member

    I am receiving the entries below in my mail log on a regular basis. Some times many times on one day. This IP address is not the only one making this attempt, there are several.

    Is this a problem or potential problem?
    Is there a way to block all attempts from these IP addresses?

     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, thats normal. This are just some guys who want to use your server to send spam.

    There are severla ways, one way is:

    /sbin/route add -host 124.8.106.88 reject

    Or you take a look at fail2ban and denyhosts.
     
  3. cat

    cat New Member

    fail2ban permanently banning a persistent offenders

    I have fail2ban installed and working, it is banning relay access attempts amongst others. However I have several IP’s that are being persistent and have worked out that they are only banned for a while so they try and when they get banned they wait for a bit and then try again, after they have been unbanded.

    I know that I can block IP’s with iptables manually and I have tried this however some program on my system (and I think it was fail2ban) has rewritten the iptables and removed all of my additions.

    I went back to the fail2ban documentation to see if there was any thing I could do. In the documentation it sais that you can ban “temporarily or permanently”. I have the temporarily working what I want is a way of permanently banning a persistent offenders. Does any one know how to block persistent offenders with fail2ban.

    Thanks in advance.
    Cat
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I know, fail2ban can ban temporarily or persistent but I dont think that it can ban only some IP's temporarily. What you might use to ban some IP's permanently is this command, which should not collide with the fail2ban iptables rules:

    /sbin/route add -host 192.168.0.1 reject
     
  5. cat

    cat New Member

    I am unsure that fail2ban is working

    fail2ban was updated a day or two ago when I ran update manager. This usually does not cause any problems.
    After the update I noticed some new information when I ran iptables -L

    From iptables -L
    Is this correct or is there problem with fail2ban?

    I also noticed in the fail2ban.log

    From fail2ban.log
    There does not seem to be anything banning these attempts. When fail2ban use to ban things it would put “ban” on the end of the line, I don’t see that any more. I created a jail.local and added the jails from falkos how to setup fail2ban on Debian. However I had to make most of them “enabled = false” because I got the following error messages.

    From fail2ban.log
    I have read every thing I can but I cant find any thing that seems to make a difference. Does any one have any ideas?

    from mail.log
    Also a separate issue I am getting lots of entries like below in my mail.log file is there a problem there and if not id there a way to stop them from being generated?

    From mail.log
    Thanks for your help
    cat:eek:
     
  6. madmucho

    madmucho ISPConfig Developer ISPConfig Developer

    Hi

    AD Code 1 that is normal but your fail2ban have not enable jail , then dont do anything.

    AD Code 2 that isnt normal, please check configuration of your fail2ban jails and log paths.

    AD Code 3 Connections From localhost is normal, that is ispconfig service check atempts.

    Try configure and unerstand fail2ban settings, enable rules only what you need, and add your ip to ingoreip list :) because you can be baned to while configuring and making tests :).
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    /sbin route is a command and not a file to add something. Just execute the command as it is shown in my post, just replace the IP with the IP that shall be banned.
     
  8. dayjahone

    dayjahone Member

    How do I remove the block if I mess up?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    See for details:

    man route

    Example:

    /sbin/route del -host 192.168.0.1 reject
     
  10. dayjahone

    dayjahone Member

    Does it work with domains as well?

    for example: /sbin/route add -host terra.com reject
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    No. IP Routing is below the domain level.
     
  12. dayjahone

    dayjahone Member

    This seems to go away when I reboot.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Thats the way routing works in Linux. The routes are stored within the kernel memory.

    See man route as I suggested above!
     

Share This Page