Fail2ban whitelist

jlguerrero · December 17, 2020, 4:14pm

My smtp server bans my webservers because of fail2ban.

Webserver hosting WordPress → Conects via SMTP → Mail server (Hestia) → Send emails

When a website has a misconfigured plugin, during test or at any point, the whole server gets banned. And no other Website can send emails.

I would like to whitelist my webservers in my Mail server to prevent this from happening.

This is what I tried

/etc/fail2ban/jail.local

[default]
ignoreip = 195.114.211.xxx 5.56.63.xxx 5.56.62.xxx 185.37.226.xxx 5.56.60.xxx

I could also run a cron with action unban every minute, but it is not an elegant solution.

Will an IPset of accepted IPs be banned by fail2ban?

jlguerrero · December 17, 2020, 4:39pm

Doesn’t work. I can’t set an Ipset of less than 10 IPs

jlguerrero · December 17, 2020, 5:12pm

When I configure the individual IPs on Iptables fail2ban rules are higher in the iptables list.

root@c02:/usr/local/hestia/install/deb/firewall/ipset# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-HESTIA tcp – anywhere anywhere tcp dpt:8083
fail2ban-FTP tcp – anywhere anywhere tcp dpt:ftp
fail2ban-SSH tcp – anywhere anywhere tcp dpt:2220
f2b-sshd tcp – anywhere anywhere multiport dports ssh
fail2ban-MAIL tcp – anywhere anywhere multiport dports smtp,submissions,submission,pop3,pop3s,imap2,imaps
fail2ban-RECIDIVE tcp – anywhere anywhere multiport dports tcpmux:65535
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED

jlguerrero · December 17, 2020, 8:13pm

Okay after testing whitelisting with ipset iptables and fail2ban again.

I changed [default] to [DEFAULT] and it is not banning my bad attempts.

jlguerrero · August 24, 2022, 10:57am

I have been playing around with this, and I have something to add:

You can create a file such as: /etc/fail2ban/jail.d/whitelist.local
With this content:

[DEFAULT]
ignoreip=
 1.1.1.1
 2.2.2.0/24
 subdomain.domain.tld
 3.3.3.3 4.4.4.4/16

That way you can pull googlebots IP list and whitelist them in the ignoreip

Edit: note that there is a SPACE character at the beginning of each line after the “ignoreip=” part.

johnny · August 25, 2022, 4:52pm

@jlguerrero I like this idea
Also Is there a way to just whitelist an IP or FQDN in the HestiaCP UI or is that not a feature yet?

chris · August 25, 2022, 7:15pm

Yes, just add the this block in your fail2ban config:
host.yourdomain.com/edit/server/fail2ban/

# My home IP address / 12.34.567.89
# My work IP address / 98.76.543.21

[DEFAULT]
ignoreip = 12.34.567.89 98.76.543.21

system · September 24, 2022, 7:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.