Panel brute force

vukkuhadre · February 9, 2025, 11:12pm

I read that hestia has a built-in security to protect the panel itself from brute force, I tried to login with wrong username and password 10+ times and didn’t get blocked! I checked fail2ban logs and didn’t find anything.

sahsanu · February 9, 2025, 11:32pm

Check that fail2ban is running:

systemctl status fail2ban --no-pager -l

Check that hestia-iptables exists and is enabled in jail.local file:

grep -A6 hestia-iptables /etc/fail2ban/jail.local

Also, check that failed logins are being recorded:

tail -n20 /var/log/hestia/auth.log

vukkuhadre · February 10, 2025, 8:07am

Hi @sahsanu

root@hcp:~# systemctl status fail2ban --no-pager -l
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2025-02-10 08:00:34 EET; 1h 58min ago
Docs: man:fail2ban(1)
Process: 2875 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 2912 (f2b/server)
Tasks: 17 (limit: 9358)
Memory: 139.4M
CGroup: /system.slice/fail2ban.service
└─2912 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Feb 10 08:00:34 hcp.mydomain.com systemd[1]: Starting Fail2Ban Service…
Feb 10 08:00:34 hcp.mydomain.com systemd[1]: Started Fail2Ban Service.
Feb 10 08:00:36 hcp.mydomain.com fail2ban-server[2912]: Server ready
root@hcp:~#
root@hcp:~#

root@hcp:~# grep -A6 hestia-iptables /etc/fail2ban/jail.local
[hestia-iptables]
enabled = true
filter = hestia
action = hestia[name=HESTIA]
logpath = /var/log/hestia/auth.log
maxretry = 5
root@hcp:~#

root@hcp:~# tail -n20 /var/log/hestia/auth.log
2025-02-09 11:07:15 admin 123.123.123.123 successfully logged in
2025-02-09 11:37:05 admin 123.123.123.123 successfully logged in
2025-02-09 11:37:14 admin 123.123.123.123 successfully logged in
2025-02-09 23:54:26 admin 123.123.123.123 successfully logged in
2025-02-09 23:54:38 admin 123.123.123.123 successfully logged in
2025-02-10 00:33:37 hddhhhh 123.123.123.123 failed to login
2025-02-10 00:33:43 bsshsn 123.123.123.123 failed to login
2025-02-10 00:33:48 jdjsd 123.123.123.123 failed to login
2025-02-10 00:33:55 hddnd 123.123.123.123 failed to login
2025-02-10 00:34:01 ueueje 123.123.123.123 failed to login
2025-02-10 00:34:06 hdhdjd 123.123.123.123 failed to login
2025-02-10 00:34:12 hdhdhd 123.123.123.123 failed to login
2025-02-10 00:34:18 hdhdhd 123.123.123.123 failed to login
2025-02-10 00:34:24 hdhddj 123.123.123.123 failed to login
2025-02-10 00:34:30 hdhdnd 123.123.123.123 failed to login
2025-02-10 00:34:36 hdudhd 123.123.123.123 failed to login
2025-02-10 00:34:43 hdhddn 123.123.123.123 failed to login
2025-02-10 00:34:49 jdjdd 123.123.123.123 failed to login
2025-02-10 09:45:02 admin 123.123.123.123 successfully logged in
2025-02-10 09:45:16 admin 123.123.123.123 successfully logged in
root@hcp:~#

sahsanu · February 10, 2025, 9:25am

Show the output of these commands:

grep ' Ban' /var/log/fail2ban.log
grep -- '-ban' /var/log/hestia/system.log
iptables -S
fail2ban-client status hestia-iptables
fail2ban-client banned
fail2ban-regex -r --print-all-matched /var/log/hestia/auth.log /etc/fail2ban/filter.d/hestia.conf

vukkuhadre · February 10, 2025, 10:37am

root@hcp:~# grep ' Ban' /var/log/fail2ban.log                         
root@hcp:~# grep 'Ban' /var/log/fail2ban.log
2025-02-10 00:03:49,865 fail2ban.transmitter    [2892436]: WARNING Command ['server-stream', 'set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '1d'], ['add', 'recidive', 'auto'], ['set', 'recidive', 'usedns', 'warn'], ['set', 'recidive', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:\\s*fail2ban\\.actions\\s*(?:\\[\\d+\\])?:\\s+)?NOTICE\\s+\\[(?!recidive\\])(?:.*)\\]\\s+Ban\\s+<HOST>\\s*$'], ['set', 'recidive', 'datepattern', '^{DATE}'], ['set', 'recidive', 'addjournalmatch', '_SYSTEMD_UNIT=fail2ban.service', 'PRIORITY=5'], ['set', 'recidive', 'maxretry', 5], ['set', 'recidive', 'maxmatches', 5], ['set', 'recidive', 'findtime', '86400'], ['set', 'recidive', 'bantime', '864000'], ['set', 'recidive', 'ignorecommand', ''], ['set', 'recidive', 'addignoreip', '27.32.63.178'], ['set', 'recidive', 'logencoding', 'auto'], ['set', 'recidive', 'addlogpath', '/var/log/fail2ban.log', 'head'], ['set', 'recidive', 'addaction', 'hestia'], ['multi-set', 'recidive', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain RECIDIVE'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain RECIDIVE'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-RECIDIVE[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> RECIDIVE'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> RECIDIVE'], ['name', 'RECIDIVE'], ['actname', 'hestia'], ['add', 'ssh-iptables', 'auto'], ['set', 'ssh-iptables', 'usedns', 'warn'], ['set', 'ssh-iptables', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'], ['set', 'ssh-iptables', 'maxlines', 1], ['multi-set', 'ssh-iptables', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>', ['set', 'ssh-iptables', 'datepattern', '{^LN-BEG}'], ['set', 'ssh-iptables', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'], ['set', 'ssh-iptables', 'maxretry', 5], ['set', 'ssh-iptables', 'maxmatches', 5], ['set', 'ssh-iptables', 'findtime', '10m'], ['set', 'ssh-iptables', 'bantime', '10m'], ['set', 'ssh-iptables', 'ignorecommand', ''], ['set', 'ssh-iptables', 'addignoreip', '27.32.63.178'], ['set', 'ssh-iptables', 'logencoding', 'auto'], ['set', 'ssh-iptables', 'addlogpath', '/var/log/auth.log', 'head'], ['set', 'ssh-iptables', 'addaction', 'hestia'], ['multi-set', 'ssh-iptables', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain SSH'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain SSH'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-SSH[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> SSH'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> SSH'], ['name', 'SSH'], ['actname', 'hestia'], ['add', 'vsftpd-iptables', 'auto'], ['set', 'vsftpd-iptables', 'usedns', 'warn'], ['multi-set', 'vsftpd-iptables', 'addfailregex', ['^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?\\(?pam_unix(?:\\(\\S+\\))?\\)?:?\\s+authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=(ftp)? ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$', '^ \\[pid \\d+\\] \\^\\+\\] FAIL LOGIN: Client "<HOST>"(?:\\s*$|,)']], ['set', 'vsftpd-iptables', 'datepattern', '{^LN-BEG}'], ['set', 'vsftpd-iptables', 'maxretry', 5], ['set', 'vsftpd-iptables', 'maxmatches', 5], ['set', 'vsftpd-iptables', 'findtime', '10m'], ['set', 'vsftpd-iptables', 'bantime', '10m'], ['set', 'vsftpd-iptables', 'ignorecommand', ''], ['set', 'vsftpd-iptables', 'addignoreip', '27.32.63.178'], ['set', 'vsftpd-iptables', 'logencoding', 'auto'], ['set', 'vsftpd-iptables', 'addlogpath', '/var/log/vsftpd.log', 'head'], ['set', 'vsftpd-iptables', 'addaction', 'hestia'], ['multi-set', 'vsftpd-iptables', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain FTP'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain FTP'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-FTP[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> FTP'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> FTP'], ['name', 'FTP'], ['actname', 'hestia'], ['add', 'exim-iptables', 'auto'], ['set', 'exim-iptables', 'usedns', 'warn'], ['multi-set', 'exim-iptables', 'addfailregex', ['^(?: \\[\\d+\\])? (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\ssender verify fail for <\\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\\s*$', '^(?: \\[\\d+\\])? \\w+ authenticator failed for (?:[^\\[\\( ]* )?(?:\\(\\S*\\) )?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?: 535 Incorrect authentication data( \\(set_id=.*\\)|: \\d+ Time\\(s\\))?\\s*$', '^(?: \\[\\d+\\])? (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\srejected RCPT [^@]+@\\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\\s*$', '^(?: \\[\\d+\\])? SMTP protocol synchronization error \\([^)]*\\): rejected (?:connection from|"\\S+") (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\s(?:next )?input=".*"\\s*$', '^(?: \\[\\d+\\])? SMTP call from (?:[^\\[\\( ]* )?(?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sdropped: too many (?:nonmail commands|syntax or protocol errors) \\(last (?:command )?was "[^"]*"\\)\\s*$', '^(?: \\[\\d+\\])? SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" (?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sAUTH command used when not advertised\\s*$', '^(?: \\[\\d+\\])? no MAIL in SMTP connection from (?:[^\\[\\( ]* )?(?:\\(\\S*\\) )?(?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sD=\\d\\S*s(?: C=\\S*)?\\s*$', '^(?: \\[\\d+\\])? (?:[\\w\\-]+ )?SMTP connection from (?:[^\\[\\( ]* )?(?:\\(\\S*\\) )?(?:H=([\\w.-]+ )?(?:\\(\\S+\\) )?)?\\[<HOST>\\](?::\\d+)?(?: I=\\[\\S+\\](:\\d+)?)?(?: U=\\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\\S+))?\\sclosed by DROP in ACL\\s*$']], ['set', 'exim-iptables', 'maxretry', 5], ['set', 'exim-iptables', 'maxmatches', 5], ['set', 'exim-iptables', 'findtime', '10m'], ['set', 'exim-iptables', 'bantime', '10m'], ['set', 'exim-iptables', 'ignorecommand', ''], ['set', 'exim-iptables', 'addignoreip', '27.32.63.178'], ['set', 'exim-iptables', 'logencoding', 'auto'], ['set', 'exim-iptables', 'addlogpath', '/var/log/exim4/mainlog', 'head'], ['set', 'exim-iptables', 'addaction', 'hestia'], ['multi-set', 'exim-iptables', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain MAIL'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain MAIL'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-MAIL[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> MAIL'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> MAIL'], ['name', 'MAIL'], ['actname', 'hestia'], ['add', 'dovecot-iptables', 'auto'], ['set', 'dovecot-iptables', 'usedns', 'warn'], ['set', 'dovecot-iptables', 'prefregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\\([^\\)]+\\))?: )?(?:pam_unix(?:\\(dovecot:auth\\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$'], ['multi-set', 'dovecot-iptables', 'addfailregex', ['^authentication failure; logname=<F-ALT_USER1>\\S*</F-ALT_USER1> uid=\\S* euid=\\S* tty=dovecot ruser=<F-USER>\\S*</F-USER> rhost=<HOST>(?:\\s+user=<F-ALT_USER>\\S*</F-ALT_USER>)?\\s*$', '^(?:Aborted login|Disconnected)(?::(?: [^ \\(]+)+)? \\((?:auth failed, \\d+ attempts(?: in \\d+ secs)?|tried to use (?:disabled|disallowed) \\S+ auth|proxy dest auth failed)\\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\\S+>)?)\\s*$', '^pam\\(\\S+,<HOST>(?:,\\S*)?\\): pam_authenticate\\(\\) failed: (?:User not known to the underlying authentication module: \\d+ Time\\(s\\)|Authentication failure \\(password mismatch\\?\\)|Permission denied)\\s*$', '^[a-z\\-]{3,15}\\(\\S*,<HOST>(?:,\\S*)?\\): (?:unknown user|invalid credentials|Password mismatch)\\s*$']], ['set', 'dovecot-iptables', 'datepattern', '{^LN-BEG}TAI64N\n{^LN-BEG}'], ['set', 'dovecot-iptables', 'addjournalmatch', '_SYSTEMD_UNIT=dovecot.service'], ['set', 'dovecot-iptables', 'maxretry', 5], ['set', 'dovecot-iptables', 'maxmatches', 5], ['set', 'dovecot-iptables', 'findtime', '10m'], ['set', 'dovecot-iptables', 'bantime', '10m'], ['set', 'dovecot-iptables', 'ignorecommand', ''], ['set', 'dovecot-iptables', 'addignoreip', '27.32.63.178'], ['set', 'dovecot-iptables', 'logencoding', 'auto'], ['set', 'dovecot-iptables', 'addlogpath', '/var/log/dovecot.log', 'head'], ['set', 'dovecot-iptables', 'addaction', 'hestia'], ['multi-set', 'dovecot-iptables', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain MAIL'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain MAIL'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-MAIL[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> MAIL'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> MAIL'], ['name', 'MAIL'], ['actname', 'hestia'], ['add', 'hestia-iptables', 'auto'], ['set', 'hestia-iptables', 'usedns', 'warn'], ['set', 'hestia-iptables', 'addfailregex', '.* <HOST> failed to login'], ['set', 'hestia-iptables', 'datepattern', '{^LN-BEG}'], ['set', 'hestia-iptables', 'maxretry', 5], ['set', 'hestia-iptables', 'maxmatches', 5], ['set', 'hestia-iptables', 'findtime', '10m'], ['set', 'hestia-iptables', 'bantime', '10m'], ['set', 'hestia-iptables', 'ignorecommand', ''], ['set', 'hestia-iptables', 'addignoreip', '27.32.63.178'], ['set', 'hestia-iptables', 'logencoding', 'auto'], ['set', 'hestia-iptables', 'addlogpath', '/var/log/hestia/auth.log', 'head'], ['set', 'hestia-iptables', 'addaction', 'hestia'], ['multi-set', 'hestia-iptables', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain HESTIA'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain HESTIA'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-HESTIA[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> HESTIA'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> HESTIA'], ['name', 'HESTIA'], ['actname', 'hestia'], ['add', 'phpmyadmin-auth', 'auto'], ['set', 'phpmyadmin-auth', 'usedns', 'warn'], ['set', 'phpmyadmin-auth', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?user denied: (?:\\S+|.*?) \\(mysql-denied\\) from <HOST>\\s*$'], ['set', 'phpmyadmin-auth', 'datepattern', '{^LN-BEG}'], ['set', 'phpmyadmin-auth', 'maxretry', 5], ['set', 'phpmyadmin-auth', 'maxmatches', 5], ['set', 'phpmyadmin-auth', 'findtime', '10m'], ['set', 'phpmyadmin-auth', 'bantime', '10m'], ['set', 'phpmyadmin-auth', 'ignorecommand', ''], ['set', 'phpmyadmin-auth', 'addignoreip', '27.32.63.178'], ['set', 'phpmyadmin-auth', 'logencoding', 'auto'], ['set', 'phpmyadmin-auth', 'addlogpath', '/var/log/auth.log', 'head'], ['set', 'phpmyadmin-auth', 'addaction', 'hestia'], ['multi-set', 'phpmyadmin-auth', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain WEB'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain WEB'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-WEB[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> WEB'], ['actionunban', '/usr/local/hestia/bin/v-delete-firewall-ban <ip> WEB'], ['name', 'WEB'], ['actname', 'hestia'], ['add', 'exim-auth', 'auto'], ['set', 'exim-auth', 'usedns', 'warn'], ['set', 'exim-auth', 'addfailregex', '^\\s*(?:\\S+ ){2}\\S+ \ue001.*\ue001 \\S+ rejected \\S+ \\S+ \\S+ (.*)$'], ['set', 'exim-auth', 'maxretry', 5], ['set', 'exim-auth', 'maxmatches', 5], ['set', 'exim-auth', 'findtime', '10m'], ['set', 'exim-auth', 'bantime', '600'], ['set', 'exim-auth', 'ignorecommand', ''], ['set', 'exim-auth', 'addignoreip', '27.32.63.178'], ['set', 'exim-auth', 'logencoding', 'auto'], ['set', 'exim-auth', 'addlogpath', '/var/log/exim4/mainlog', 'head'], ['set', 'exim-auth', 'addaction', 'iptables-multiport'], ['multi-set', 'exim-auth', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-exim-auth\n<iptables> -A f2b-exim-auth -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j f2b-exim-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports smtp,ssmtp -j f2b-exim-auth\n<iptables> -F f2b-exim-auth\n<iptables> -X f2b-exim-auth'], ['actionflush', '<iptables> -F f2b-exim-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-exim-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-exim-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-exim-auth -s <ip> -j <blocktype>'], ['name', 'exim-auth'], ['port', 'smtp,ssmtp'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>'], ['start', 'recidive'], ['start', 'ssh-iptables'], ['start', 'vsftpd-iptables'], ['start', 'exim-iptables'], ['start', 'dovecot-iptables'], ['start', 'hestia-iptables'], ['start', 'phpmyadmin-auth'], ['start', 'exim-auth']]] has failed. Received RegexException("No failure-id group in '^\\s*(?:\\S+ ){2}\\S+ \ue001.*\ue001 \\S+ rejected \\S+ \\S+ \\S+ (.*)$'")
2025-02-10 00:17:01,657 fail2ban.transmitter    [2953856]: WARNING Command ['server-stream', 'set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '1d'], ['add', 'recidive', 'systemd'], ['set', 'recidive', 'usedns', 'warn'], ['set', 'recidive', 'addfailregex', '^\\s*(?:\\S+\\s+)?(?:\\S*(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:\\s*fail2ban\\.actions\\s*(?:\\[\\d+\\])?:\\s+)?NOTICE\\s+\\[(?!recidive\\])(?:.*)\\]\\s+Ban\\s+<HOST>\\s*$'], ['set', 'recidive', 'datepattern', '^{DATE}'], ['set', 'recidive', 'addjournalmatch', '_SYSTEMD_UNIT=fail2ban.service', 'PRIORITY=5'], ['set', 'recidive', 'maxretry', 5], ['set', 'recidive', 'maxmatches', 5], ['set', 'recidive', 'findtime', '86400'], ['set', 'recidive', 'bantime', '864000'], ['set', 'recidive', 'ignorecommand', ''], ['set', 'recidive', 'addignoreip', '27.32.63.178', '127.0.0.1/8', '192.168.100.2/30'], ['set', 'recidive', 'logencoding', 'auto'], ['set', 'recidive', 'addaction', 'hestia'], ['multi-set', 'recidive', 'action', 'hestia', 'actionstart', '/usr/local/hestia/bin/v-add-firewall-chain RECIDIVE'], ['actionstop', '/usr/local/hestia/bin/v-delete-firewall-chain RECIDIVE'], ['actioncheck', "iptables -n -L INPUT | grep -q 'fail2ban-RECIDIVE[ \\t]'"], ['actionban', '/usr/local/hestia/bin/v-add-firewall-ban <ip> RECIDIVE'], ['actionunban', '/usr/local/hesti

root@hcp:~# grep -- '-ban' /var/log/hestia/system.log
2025-02-01 17:11:11 v-add-firewall-ban  '159.89.21.29' 'MAIL'
2025-02-01 17:21:12 v-delete-firewall-ban  '159.89.21.29' 'MAIL'
2025-02-04 01:30:24 v-add-firewall-ban  '159.89.27.227' 'MAIL'
2025-02-04 01:40:25 v-delete-firewall-ban  '159.89.27.227' 'MAIL'
2025-02-04 11:12:11 v-add-firewall-ban  '159.89.110.35' 'MAIL'
2025-02-04 11:22:12 v-delete-firewall-ban  '159.89.110.35' 'MAIL'
2025-02-04 12:01:02 v-add-firewall-ban  '206.168.34.36' 'MAIL'
2025-02-04 12:06:18 v-add-firewall-ban  '69.45.225.98' 'MAIL'
2025-02-04 12:11:01 v-delete-firewall-ban  '206.168.34.36' 'MAIL'
2025-02-04 12:16:17 v-delete-firewall-ban  '69.45.225.98' 'MAIL'
2025-02-04 13:26:49 v-add-firewall-ban  '49.124.149.204' 'MAIL'
2025-02-04 13:36:50 v-delete-firewall-ban  '49.124.149.204' 'MAIL'
2025-02-05 12:34:22 v-add-firewall-ban  '49.124.151.37' 'MAIL'
2025-02-05 12:44:22 v-delete-firewall-ban  '49.124.151.37' 'MAIL'
2025-02-05 22:55:40 v-add-firewall-ban  '166.144.247.182' 'MAIL'
2025-02-05 22:58:33 v-add-firewall-ban  '166.144.247.182' 'MAIL'
2025-02-05 23:05:41 v-delete-firewall-ban  '166.144.247.182' 'MAIL'
2025-02-06 04:12:35 v-add-firewall-ban  '49.124.152.232' 'MAIL'
2025-02-06 04:22:35 v-delete-firewall-ban  '49.124.152.232' 'MAIL'
2025-02-07 20:22:34 v-add-firewall-ban  '138.75.98.134' 'MAIL'
2025-02-07 20:32:35 v-delete-firewall-ban  '138.75.98.134' 'MAIL'
2025-02-07 21:36:04 v-add-firewall-ban  '64.188.163.62' 'MAIL'
2025-02-07 21:46:05 v-delete-firewall-ban  '64.188.163.62' 'MAIL'
2025-02-08 20:58:57 v-add-firewall-ban  '64.227.87.132' 'MAIL'
2025-02-08 21:08:58 v-delete-firewall-ban  '64.227.87.132' 'MAIL'
2025-02-08 21:10:45 v-add-firewall-ban  '216.73.103.221' 'MAIL'
2025-02-08 21:20:46 v-delete-firewall-ban  '216.73.103.221' 'MAIL'
2025-02-08 23:33:36 v-add-firewall-ban  '49.124.153.37' 'MAIL'
2025-02-08 23:43:37 v-delete-firewall-ban  '49.124.153.37' 'MAIL'
root@hcp:~#

root@hcp:~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-N fail2ban-FTP
-N fail2ban-HESTIA
-N fail2ban-MAIL
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m tcp --dport 2083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.100.2/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-MAIL -j RETURN
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
root@hcp:~#

root@hcp:~# fail2ban-client status hestia-iptables
Status for the jail: hestia-iptables
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
root@hcp:~#

root@hcp:~# fail2ban-client banned
2025-02-10 12:12:26,741 fail2ban                [1090738]: ERROR   NOK: ('Invalid command',)
Invalid command
root@hcp:~#

root@hcp:~# fail2ban-regex -r --print-all-matched /var/log/hestia/auth.log /etc/fail2ban/filter.d/hestia.conf

Running tests
=============

Use   failregex filter file : hestia, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/hestia/auth.log
Use         encoding : UTF-8

Results
=======

Failregex: 13 total
|-  #) [# of hits] regular expression
|   1) [13] .* <HOST> failed to login
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [45] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 45 lines, 0 ignored, 13 matched, 32 missed
[processed in 0.00 sec]

|- Matched line(s):
|  2025-02-10 00:33:37 hddhhhh 123.123.123.123 failed to login
|  2025-02-10 00:33:43 bsshsn 123.123.123.123 failed to login
|  2025-02-10 00:33:48 jdjsd 123.123.123.123 failed to login
|  2025-02-10 00:33:55 hddnd 123.123.123.123 failed to login
|  2025-02-10 00:34:01 ueueje 123.123.123.123 failed to login
|  2025-02-10 00:34:06 hdhdjd 123.123.123.123 failed to login
|  2025-02-10 00:34:12 hdhdhd 123.123.123.123 failed to login
|  2025-02-10 00:34:18 hdhdhd 123.123.123.123 failed to login
|  2025-02-10 00:34:24 hdhddj 123.123.123.123 failed to login
|  2025-02-10 00:34:30 hdhdnd 123.123.123.123 failed to login
|  2025-02-10 00:34:36 hdudhd 123.123.123.123 failed to login
|  2025-02-10 00:34:43 hdhddn 123.123.123.123 failed to login
|  2025-02-10 00:34:49 jdjdd 123.123.123.123 failed to login
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 32 lines

sahsanu · February 10, 2025, 10:57am

What I see:

1.- It’s strange that fail2ban.log doesn’t show any ban.
2.- system.log only shows that last triggered bans were 2 days ago.
3.- You have enabled ufw frontend firewall, disable it.
4.- fail2ban-client banned should be a valid command:
fail2ban-client -h | grep -i banned
5.- the filter hestia-iptables is detecting the auth.log entries.
6.- You are using port 2083, are you proxying the access via Cloudflare?, is 123.123.123.123 a Cloudflare’s ip?

vukkuhadre · February 10, 2025, 11:11am

Yes, I’m using Cloudflare proxy. That’s my laptop’s IP

Never used it

root@hcp:~# sudo ufw status
Status: inactive
root@hcp:~# sudo ufw status verbose
Status: inactive
root@hcp:~#

sahsanu · February 10, 2025, 11:23am

Could you please share the panel domain so I can’t check whether I get banned? If you don’t want to share it publicly, send me a private message.

Then I’m wondering why there are ufw- rules in your iptables list…

system · March 12, 2025, 11:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.