Granular Log data on Fail2Ban

Joncolby · August 10, 2024, 2:21am

Is there a way to reveal more granular fail2ban information such as offending account being used in the log?

eris · August 10, 2024, 6:38am

No it only takes the ips from the logs

Joncolby · August 13, 2024, 5:41pm

I am willing to pay a little money to get more granular data, my hypothesis is that the calendar app on iPhone is using old credentials to synchronize calendar events causing fail2ban to ban the device’s cellular IP address… it would ban the local address as well had I not added it to the white list.

Can someone let me know how to move this feature request forward.

-Jonathan

jperkins · August 13, 2024, 8:01pm

So a calendar program on your hestia server is synchronizing with calendar events on the phone?

if so why dont you look at the logs for the program/web app on the hestia server. Hestia itself doesnt have a calendar, does it ?

you need to give more details of the apps on the phone that are contacting hestia cp and the calendar app running on the hestia cp server.

Joncolby · August 14, 2024, 4:05am

No, apple calendar sends SMTP messages to update notes and calendar. If you run wirereguard, you can monitor iPhone when you make changes to a note and you will see email activity occur as you edit notes.

There is not a calendar program with its own logs. I need hestia to log more granular data on the failed login attempts so I can figure out what device and what account is the offending causal agent leading to the fail2ban block.

jperkins · August 14, 2024, 8:07am

Sorry I know nothing about iphone so you will have to eductate me

So it sends these smtp mesages to apple or to your hestia cp mail server ?

1.So when you get a banned ip in hestia cp, what chain is the ban located in

also you can look in /var/log/fail2ban.log to see what filter caused the ban

grep <banned_IP> /var/log/fail2ban.log

2.it should come back with some data and some of it will be in brackets. The part in brackets is what filter was hit in fail2ban

2024-08-11 08:40:29,810 fail2ban.filter [611]: INFO [dovecot-iptables] Found 109.173.25.72 - 2024-08-11 08:40:29
2024-08-11 08:40:31,445 fail2ban.filter [611]: INFO [exim-iptables] Found 109.173.25.72 - 2024-08-11 08:40:31
2024-08-11 09:05:57,295 fail2ban.filter [611]: INFO [dovecot-iptables] Found 189.51.32.90 - 2024-08-11 09:05:57

3.I am guessing since you mention smtp the chain will be mail. Then you can view the appropriate logfile to see details of the offense
/var/log/mailog
/var/log/exim4/mainlog
/var/log/exim4/rejectlog
/var/log/dovecot.log

all the data you need is there you just need to know where to look

jperkins · August 14, 2024, 8:17am

well apparently IOS stores notes in imap. go figure

so as you chase down my previous message the answers may be:
1.mail
2. [dovecot-iptables]
3. /var/log/dovecot.log

but we wont know for sure till you report back

system · September 13, 2024, 8:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.