Configure fail2ban

mdjong · October 19, 2023, 3:06pm

Hi, I see in the logs every few seconds someone tries to access the mail:

2023-10-19 16:49:57 dovecot_login authenticator failed for (localhost) [46.148.40.149]: 535 Incorrect authentication data (set_id=ababa)
2023-10-19 16:50:00 dovecot_login authenticator failed for (localhost) [46.148.40.145]: 535 Incorrect authentication data (set_id=myblog@main_panel_url)
2023-10-19 16:50:03 dovecot_login authenticator failed for (localhost) [46.148.40.198]: 535 Incorrect authentication data (set_id=ccfc)

When I look at the fail2ban config I see all the (default) jails are enabled. In the /var/log/fail2ban.log I see loads of :

2023-10-19 16:58:00,031 fail2ban.filter         [507]: INFO    [exim-iptables] Found 46.148.40.94 - 2023-10-19 16:58:00
2023-10-19 16:58:00,032 fail2ban.filter         [507]: INFO    [exim-iptables] Found 46.148.40.152 - 2023-10-19 16:58:00
2023-10-19 16:58:20,395 fail2ban.filter         [507]: INFO    [exim-iptables] Found 46.148.40.143 - 2023-10-19 16:58:20

But when I go to firewall settings and banlist or to cli I see only one ban unfortunately.

fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	34
|  `- File list:	/var/log/fail2ban.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	180.101.88.222

Some ip’s have shown up in the fail2ban log like 50+ times only today. Why isn’t it banned?

I missed something in the configuration? I am new with fail2ban.

sahsanu · October 19, 2023, 3:28pm

Hello @mdjong,

By default, fail2ban searchs for ips that matched the specific regexs in logs 5 times in an interval of 10 minutes and if found, it bans the ip for 10 minutes.

If you want to modify this behavior, you can edit /etc/fail2ban/jail.local and modify maxretry option and/or add options findtime and bantime.

Example:

[exim-iptables]
enabled  = true
filter   = exim
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog
maxretry = 5
findtime = 1h
bantime  = 12h

If you modify jail.local remember to restart fail2ban:

systemctl restart fail2ban

Cheers,
sahsanu

mdjong · October 19, 2023, 4:11pm

Thank you for the fast en clear reply. I edited the file and restarted the service. I am curious to see how it performs now.

Other thing I noticed is I can’t access the ‘iptables’ service when I go to main panel settings. It shows:

iptables firewall 0 minutes 0 cpu 0 MB

I can load and view every other service. When I try to access this one the server times out. This is happening for a few days already, always showing the uptime as 0 minutes.

I can see the first ip’s on the ban list now. So fail2ban looks to be working.

Thank you!

sahsanu · October 19, 2023, 4:23pm

That is normal and it’s the expected behavior, iptables is not an actual service so it is ok.

You are welcome

Cheers,
sahsanu

system · November 18, 2023, 4:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.