Hi
I had put the right country
I try to put what you sent me
grretings.
Hi
The ip was banned and the hour is correct.
[09-Aug-2024 16:06:41 +0200]: <d2h16r02> IMAP Error: Login failed for [email protected] against localhost from 77.243.87.168 (X-Forwarded-For: 77.243.87.168). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 16:06:55 +0200]: <d2h16r02> IMAP Error: Login failed for [email protected] against localhost from 77.243.87.168 (X-Forwarded-For: 77.243.87.168). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 16:07:13 +0200]: <d2h16r02> IMAP Error: Login failed for [email protected] against localhost from 77.243.87.168 (X-Forwarded-For: 77.243.87.168). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 16:07:46 +0200]: <d2h16r02> IMAP Error: Login failed for [email protected] against localhost from 77.243.87.168 (X-Forwarded-For: 77.243.87.168). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 16:08:03 +0200]: <d2h16r02> IMAP Error: Login failed for [email protected] against localhost from 77.243.87.168 (X-Forwarded-For: 77.243.87.168). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
Should WEB or MAIL be taken out?
This afternoon I try everything else.
greetings.
Great.
Sorry but I don’t understand the question.
sahsanu thanks for following up with timwol. I went straight to bed after my last post.
yes my times were off as I never set the TZ in php.ini .
If anyone else tries this you dont actually have to create enough failed logins to actually get you banned. Just run a
tail -f /var/log/fail2ban.log
in the terminal, switch to the browser and attempt to login with a bad password 1 time. Then in the terminal you should see
2024-08-09 05:43:46,063 fail2ban.filter [4099569]: INFO [roundcube-auth] Found YOUR_IP - 2024-08-09 05:43:46
be happy, it is working. no need to ban yourself
use CTRL-c to stop the terminal
1 Like
I think he he is asking which sections should be removed from the ‘banned IP’ list in Hestia admin section.
roundcube will be listed as WEB . It is in line 50 of /etc/fail2ban/jail.local
But if you own IP is listed as banned in WEB or MAIL , I would take them both out 
1 Like
Hi sahsanu
In the screnshoot when the IP is banned appear WEB.
Shouldn’t appear mail instead?
greetings
No. Hestia is banning the IP from the web server ports. roundcube is a web app.
2 Likes
Hi jperkins
Then all the IPS banned from the web like Hestia, roundbube, PHp myadmin etc
should it appears WEB?
greetings
Hi
I’ve seen that the IP isn’t longer banned.
As can I put the general form that the IPS banned 24 h?
I know that I can modify the file /etc/fail2ban/jail.local and put
[roundcube-auth]
enabled = true
filter = roundcube-auth
action = hestia[name=WEB]
logpath = /var/log/roundcube/errors.log
maxretry = 3
findtime = 1h
bantime = 24h
but this is only for roundcube, can I modify it for that it works for all?
other I have to modify them one to one.
greetins
To see exactly what section fail2ban puts it into hestia look at file
/etc/fail2ban/jail.local
look at the action line for each definition. for example roundcube-auth:
action = hestia[name=WEB]
It will be under the web section
The actual ports blocked is set somewhere else in hestia.
Hi jperkins
I can see
greetings
1 Like
Hi
At this moment the only one that I’ve in false is
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = hestia[name=DB]
logpath = /var/log/mysql/error.log
maxretry = 5
Can I change it to true?
greetings
Hi
Thanks so much sahsanu and jperkins
greetings
1 Like
I enabled it and tested it thru phpmyadmin and it did trigger fail2ban.
If you allow remote access to mysqld or have local users that access mysqld outside of phpmyadmin you would want to check to see that bad logins thru those routes also trigger /var/log/fail2ban.log
oh and I use mariadb not postgresql.
edit - on my system mariadb is only listening to localhost anyway so it isnt even setup for remote access. only access local user which include phpmyadmin
and since you got me curious these are the various ports blocked by the names used.
/usr/local/hestia/bin/v-add-firewall-chain
so DB doesnt actually block access to phpmyadmin, but the underlying mysql port
# Checking known chains
case $chain in
SSH) # Get ssh port (or ports) using v-list-sys-sshd-port.
sshport="$($BIN/v-list-sys-sshd-port plain | sed ':a;N;$!ba;s/\n/,/g')"
if [ -z "$sshport" ]; then
sshport=22
fi
port=$sshport
protocol=TCP
;;
FTP)
port=21
protocol=TCP
;;
MAIL)
port='25,465,587,110,995,143,993'
protocol=TCP
;;
DNS)
port=53
protocol=UDP
;;
WEB)
port='80,443'
protocol=TCP
;;
DB)
port='3306,5432'
protocol=TCP
;;
HESTIA)
port=$hestiaport
protocol=TCP
;;
RECIDIVE)
port='1:65535'
protocol=TCP
;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
I feel this is determined by:
- create a default debian 12 system with the related apps installed via
apt install fail2ban phpmyadminand then they are configured properly - test if fail2ban catches a bad login from phpmyadmin
if it does not then I agree it is not a hestia issue.
otherwise the combination of debian fail2ban and hestia installed source of roundcube falls within the ownership of hestia
another thing, wont our current change to the fail2ban filter for phpmyadmin will be overwritten when debian upgrades fail2ban ?
Hi jperkins
I´ve changed true in mysqld
[mysqld-iptables]
enabled = true
filter = mysqld-auth
action = hestia[name=DB]
logpath = /var/log/mysql/error.log
maxretry = 5
after that I put
systemctl restart fail2ban
and I don’t get my mysql logs.
systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2024-08-11 10:18:57 CEST; 27min ago
Docs: man:fail2ban(1)
Main PID: 3178812 (fail2ban-server)
Tasks: 21 (limit: 19099)
Memory: 14.4M
CPU: 8.650s
CGroup: /system.slice/fail2ban.service
└─3178812 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: dovecot-iptables, exim-iptables, hestia-iptables, mysqld-iptables, phpmyadmin-auth, recidive, roundcube-auth, ssh-iptables, vsftpd-iptables
namei -mo /var/log/mysql/error.log
f: /var/log/mysql/error.log
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxrwxr-x root syslog log
drwxr-s--- mysql adm mysql
-rw-rw---- mysql adm error.log
fail2ban-client status mysqld-auth
2024-08-11 11:23:12,847 fail2ban [3275492]: ERROR NOK: ('mysqld-auth',)
Sorry but the jail 'mysqld-auth' does not exist
root@deeseeerver:/etc/fail2ban# namei -mo /etc/fail2ban/filter.d/mysqld-auth.conf
f: /etc/fail2ban/filter.d/mysqld-auth.conf
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root fail2ban
drwxr-xr-x root root filter.d
-rw-r--r-- root root mysqld-auth.conf
I have the file on debian 12 which had mariadb installed during the hestia installation
it isnt a jail called mysqld-auth. it is a filter. i get the same fault with that command
Hi jperkins
but the jail it exists
[mysqld-iptables]
enabled = true
filter = mysqld-auth
action = hestia[name=DB]
logpath = /var/log/mysql/error.log
maxretry = 5
greetings