My IP still banned despite modification in jail.local

ivano.buffa · September 4, 2022, 8:26am

Hi Team,

After researching I am quite sure this post is definitely new.

I have a mail client running on one of my VPS (brand new installation and brand new public static IPv4 address - let’s called it A.B.C.D).

While creating a mail account in my mail client - trying to retrieve emails from my existing mailbox in my mail server running on my instance of HestiaCP - I received connection refused.

After a first digging I realized that - for some strange reason (still unknown to me) - the IP address of my server appeared in the list of banned IP addresses in the Manage Banned IPs section of my HestiaCP web admin UI.

Small note: the service appeared as RECIDIVE (screenshot below):

After reading in this forum, I added the following line at the end of the file /etc/fail2ban/jail.local

ignoreip = A.B.C.D  E.F.G.H.

Please note also the second IP address (E.F.G.H.) added after leaving a space as per instructions in the file /etc/fail2ban/jail.conf (which I haven’t modified - see screenshot of this file below):

I then restarted the fail2ban service (# systemctl restart fail2ban) and also did a reboot. After that my banned IP address A.B.C.D. disappeared from the list of banned IP addresses in the HestiaCP web admin UI and I was able to successfully configure my mail client in my VPS with IP address A.B.C.D.

All the above was 24 hours ago.

Today I realized that the IP address A.B.C.D. is banned back again in HestiaCP. I checked the file /etc/fail2ban/jail.local (in case the modification I made yesterday did not survive the previous reboot) but the directive I entered is still there.

Can someone help on this?

HINT: In my HestiaCP web admin UI, the IP address A.B.C.D. appeared as banned, however the value of the service (last column in the right) is now reporting MAIL instead of RECIDIVE:

Thanks in advance.

Ivano

chris · September 4, 2022, 9:45am

You should put the ignoreip rule within a [DEFAULT] block like so:

[DEFAULT]
ignoreip = 12.34.567.8

Spelling must be in capital letters!

ivano.buffa · September 4, 2022, 10:55am

Thanks Chris.

I’ll give it a try right at the end of jail.local.

However, is the order of the [DEFAULT] block important within the file? Mine is at the end as of now.

Also all the title of all the other blocks is in lower case. This is my file now:

[vsftpd-iptables]
enabled  = false
filter   = vsftpd
action   = hestia[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 5

[exim-iptables]
enabled  = true
filter   = exim
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog

[dovecot-iptables]
enabled  = true
filter   = dovecot
action   = hestia[name=MAIL]
logpath  = /var/log/dovecot.log

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = hestia[name=DB]
logpath  = /var/log/mysql.log
maxretry = 5

[hestia-iptables]
enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 5

[roundcube-auth]
enabled  = false
filter   = roundcube-auth
action   = hestia[name=WEB]
logpath  = /var/log/roundcube/errors.log
maxretry = 5

[recidive]
enabled  = true
filter   = recidive
action   = hestia[name=RECIDIVE]
logpath  = /var/log/fail2ban.log
maxretry = 5
findtime = 86400
bantime  = 864000

[DEFAULT]
ignoreip = A.B.C.D E.F.G.H.

Regards.

Ivano

chris · September 4, 2022, 11:09am

Looks good!

ivano.buffa · September 4, 2022, 5:03pm

Thanks Chris. It looks like it’s working. I will confirm that in 24 hours from now.

Raphael · September 4, 2022, 5:07pm

Always a good idea is to find the source of your ban, there seems to be a client with wrong creds.

ivano.buffa · September 5, 2022, 8:58am

Hi SciT, credentials were correct. That’s one of the reasons why I couldn’t understand. Thank you though

eris · September 5, 2022, 9:16am

Check /var/log/exim4/mainlog and see what happens

system · October 5, 2022, 9:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.