My smtp server bans my webservers because of fail2ban.
Webserver hosting WordPress → Conects via SMTP → Mail server (Hestia) → Send emails
When a website has a misconfigured plugin, during test or at any point, the whole server gets banned. And no other Website can send emails.
I would like to whitelist my webservers in my Mail server to prevent this from happening.
This is what I tried
/etc/fail2ban/jail.local
[default]
ignoreip = 195.114.211.xxx 5.56.63.xxx 5.56.62.xxx 185.37.226.xxx 5.56.60.xxx
I could also run a cron with action unban every minute, but it is not an elegant solution.
Will an IPset of accepted IPs be banned by fail2ban?
Doesn’t work. I can’t set an Ipset of less than 10 IPs
When I configure the individual IPs on Iptables fail2ban rules are higher in the iptables list.
root@c02:/usr/local/hestia/install/deb/firewall/ipset# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-HESTIA tcp – anywhere anywhere tcp dpt:8083
fail2ban-FTP tcp – anywhere anywhere tcp dpt:ftp
fail2ban-SSH tcp – anywhere anywhere tcp dpt:2220
f2b-sshd tcp – anywhere anywhere multiport dports ssh
fail2ban-MAIL tcp – anywhere anywhere multiport dports smtp,submissions,submission,pop3,pop3s,imap2,imaps
fail2ban-RECIDIVE tcp – anywhere anywhere multiport dports tcpmux:65535
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
Okay after testing whitelisting with ipset iptables and fail2ban again.
I changed [default] to [DEFAULT] and it is not banning my bad attempts.
I have been playing around with this, and I have something to add:
You can create a file such as: /etc/fail2ban/jail.d/whitelist.local
With this content:
[DEFAULT]
ignoreip=
1.1.1.1
2.2.2.0/24
subdomain.domain.tld
3.3.3.3 4.4.4.4/16
That way you can pull googlebots IP list and whitelist them in the ignoreip
Edit: note that there is a SPACE character at the beginning of each line after the “ignoreip=” part.
1 Like
johnny
6
@jlguerrero I like this idea
Also Is there a way to just whitelist an IP or FQDN in the HestiaCP UI or is that not a feature yet?
chris
7
Yes, just add the this block in your fail2ban config:
host.yourdomain.com/edit/server/fail2ban/
# My home IP address / 12.34.567.89
# My work IP address / 98.76.543.21
[DEFAULT]
ignoreip = 12.34.567.89 98.76.543.21
system
Closed
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.