Selfban - fail2ban

Good afternoon, I encountered the following problem: when registering on the site, my users were sent a letter with a code, after a while I began to receive complaints that the codes were not being received, I checked the firewall, my machine’s IP is there, I added ignorerip to the config, but after some time… then he is blocked again by Fail2Ban with the Mail template, why? How to fix this, I really hope for your help! Thanks in advance for your answers!

@sahsanu Hello! Can you help resolve this issue please?

How is your site sending those mails? What is the ip being blocked, the same public ip that you use in your Hestia server?

Check the time of bans for your ip:

grep -ri 'notice.*ban\s' /var/log/fail2ban.log*

Then check exim and dovecot logs to view the reason it is failing.

Logs are here:

/var/log/exim4/mainlog
/var/log/exim4/rejectlog
/var/log/dovecot.log

To check the logs for the ip in exim, you can also use this:

exigrep 'here.the.affected.ip' /var/log/exim4/mainlog*

Where and how did you add the ip?

information on log fail2ban


/var/log/fail2ban.log.1:2024-01-27 18:50:04,402 fail2ban.actions        [1088]: NOTICE  [dovecot-iptables] Ban 194.146.242.192

information log on nain log:

2024-01-28 15:33:31 no host name found for IP address 194.146.242.192

2024-01-28 15:33:32 no host name found for IP address 194.146.242.192

2024-01-28 15:33:33 1rU4Ls-00594D-1e <= [email protected] H=(imw-rpg.ru) [194.146.242.192] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.imw-rpg.ru A=dovecot_plain:[email protected] S=2223 [email protected]
2024-01-28 15:33:39 1rU4Ls-00594D-1e => [email protected] R=dnslookup T=remote_smtp H=mx02.mail.icloud.com [17.42.251.62] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=yes K C="250 2.0.0 Ok: 2919 bytes queued as ABE655C000DC"
2024-01-28 15:33:39 1rU4Ls-00594D-1e Completed

2024-01-19 15:01:01 no host name found for IP address 194.146.242.192

2024-01-19 15:01:02 no host name found for IP address 194.146.242.192

2024-01-19 15:01:05 1rQnYU-001Vbi-2x <= [email protected] H=(imw-rpg.ru) [194.146.242.192] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.imw-rpg.ru A=dovecot_plain:[email protected] S=2193 [email protected]
2024-01-19 15:01:05 1rQnYU-001Vbi-2x => admin <[email protected]> R=localuser T=local_delivery
2024-01-19 15:01:05 1rQnYU-001Vbi-2x Completed

2024-01-27 04:39:10 SMTP call from census6.shodan.io [66.240.236.119] dropped: too many syntax or protocol errors (last command was "?/?<\300\234\300\240?\234?5?=\300\235\300\241?\235?A?\272?\204?\300?\007?\004?\005\001??\306???\024?\022??\017194.146.242.192?\027???\001?\001\001\377\001?\001??", NULL)

2024-01-27 04:39:12 SMTP call from census6.shodan.io [66.240.236.119] dropped: too many syntax or protocol errors (last command was "?/?<\300\234\300\240?\234?5?=\300\235\300\241?\235?A?\272?\204?\300?\007?\004?\005\001??\323???\024?\022??\017194.146.242.192?\027???\001?\001\001\377\001?\001??", NULL)

2024-01-27 19:31:34 no host name found for IP address 194.146.242.192

2024-01-27 19:31:35 no host name found for IP address 194.146.242.192

2024-01-27 19:31:37 1rTlah-004AwA-T7 <= [email protected] H=(imw-rpg.ru) [194.146.242.192] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.imw-rpg.ru A=dovecot_plain:[email protected] S=2223 [email protected]
2024-01-27 19:31:37 1rTlah-004AwA-T7 H=gmail-smtp-in.l.google.com [64.233.164.27] TLS error on connection (recv): The TLS connection was non-properly terminated.

added to file /etc/fail2ban/jail.local
ignoreip = 194.146.242.192

the site sends letters via SMTP

I can provide the full log files if that helps.

A few things:

1.- Your ip 194.146.242.192 should have a PTR record pointing to your hostname that in this case is imw-rpg.ru

2.- The ban was produced for dovecot and I don’t know whether you checked dovecot log because there is the root cause for the bans.

3.- You said you added ignoreip = 194.146.242.192 in jail.local file but did you uncomment the [DEFAULT] section?

You should have something like this:

[DEFAULT]
ignoreip = 194.146.242.192

After modify the file, restart fail2ban service

systemctl restart fail2ban

2 Likes

I removed the comment from [DEFAULT], I’ll keep an eye on it, who knew that this comment could have an impact(

in the dovecot magazine there are only such lines, the rest is not, well, spam hacking from freaks is not taken into account
Jan 29 16:18:37 auth: Info: missing passwd file: /etc/exim4/domains//passwd

Jan 29 16:19:53 imap([email protected])<1513158><GPJ1fRUQKNayRpil>: Info: Disconnected: Logged out in=1607 out=47183 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jan 29 16:19:53 imap([email protected])<1513156><BFJlfRUQJ9ayRpil>: Info: Disconnected: Logged out in=843 out=159341 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=150164
Jan 29 16:20:01 auth: Info: passwd-file([email protected],45.129.14.126): unknown user
Jan 29 16:20:14 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:20:59 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:21:44 auth: Info: passwd-file([email protected],141.98.11.68): Password mismatch
Jan 29 16:22:29 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:23:16 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:24:02 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:24:47 auth: Info: passwd-file([email protected],141.98.11.68): unknown user
Jan 29 16:25:32 auth: Info: passwd-file([email protected],141.98.11.68): unknown user

I run my server from home and fail2ban was always flagging the router, the ignore fix did not work it just kept banning the router.

I had to create an accept rule in iptables at position 1 to stop the issue, it bands external ip addresses and the server does not loose connectivity now due to fail2ban.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.