Debian 10 and ISPConfig 3.2.4. Somehow this one IP manages to try logins hundreds of times a day, fail2ban seems to ban it but looks like ban is not effective. Can someone explain what is going on and how to fix? I notice the culprit from logwatch reports: Code: Warnings -------- smtpd (top 20) (total: 506) 406 unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc... I verify from /var/log/mail.log there really are these attempts: Code: # grep 212.70.149.71 mail.log | grep "SASL LOGIN authentication failed" | wc -l 2121 So 2121 attempts since 25th this month (4 days ago). Fail2ban log show IP is banned: Code: root@posti:/var/log# grep 212.70.149.71 /var/log/fail2ban.log | tail 2021-04-29 11:34:56,849 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:34:56 2021-04-29 11:34:56,934 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned 2021-04-29 11:36:33,370 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:36:33 2021-04-29 11:38:07,162 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:38:07 2021-04-29 11:39:42,661 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:39:42 2021-04-29 11:39:42,663 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned 2021-04-29 11:41:18,029 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:41:18 2021-04-29 11:42:52,502 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:42:52 2021-04-29 11:44:27,439 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:44:27 2021-04-29 11:44:27,600 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned Interestingly looks like that IP does not get unbanned: Code: # grep Unban /var/log/fail2ban.log | grep 212.70.149.71 2021-04-26 12:23:56,865 fail2ban.actions [408]: NOTICE [sasl] Unban 212.70.149.71 So three days since latest unban, but bantime should be 10 minutes (600 seconds). This from jail.local Code: [sasl] enabled = true port = smtp filter = sasl logpath = /var/log/mail.log maxretry = 3 findtime = 7200 Code: # fail2ban-client get sasl bantime 600 Code: # fail2ban-client get sasl actions The jail sasl has the following actions: iptables-multiport Iptables really is banning the IP, at least as far as I interpret correctly the following: Code: # iptables-save | grep 212.70.149.71 -A f2b-sasl -s 212.70.149.71/32 -j REJECT --reject-with icmp-port-unreachable But the IP accesses server often: Code: # grep 212.70.149.71 mail.log | grep "SASL LOGIN authentication failed" | tail Apr 29 11:49:17 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:50:53 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:52:29 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:54:07 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:55:43 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:57:18 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 11:58:53 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 12:00:27 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 12:02:02 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 29 12:03:37 posti postfix/smtps/smtpd[1574]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Code: # grep 212.70.149.71 fail2ban.log | tail 2021-04-29 11:58:53,340 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 11:58:53 2021-04-29 11:58:53,418 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned 2021-04-29 12:00:28,064 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:00:27 2021-04-29 12:02:02,566 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:02:02 2021-04-29 12:03:37,345 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:03:37 2021-04-29 12:03:37,745 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned 2021-04-29 12:05:14,107 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:05:14 2021-04-29 12:06:50,417 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:06:50 2021-04-29 12:08:26,356 fail2ban.filter [408]: INFO [sasl] Found 212.70.149.71 - 2021-04-29 12:08:26 2021-04-29 12:08:26,682 fail2ban.actions [408]: WARNING [sasl] 212.70.149.71 already banned I can get rid of that cracker for a week by adding the IP to fail2ban recidive jail (I have 1 week bantime there). I guess fail2ban does not give recidive ban by itself because the IP does not get unbanned, so it does not get 5 bans in one day. So, any ideas on what is going on and what to do?
Or use a different action; I prefer ones that outright block all traffic to/from the ip, not just a few ports.
@Th0m, seems you are correct. I added Code: port = smtp,465,submission to /etc/fail2ban/jail.local and now fail2ban does unbans and gives recidive ban eventually: Code: # tail -f /var/log/fail2ban.log | grep 212.70.149.71 2021-04-29 15:22:29,410 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 2021-04-29 15:23:34,519 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:23:34 2021-04-29 15:25:10,239 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:25:10 2021-04-29 15:26:45,538 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:26:45 2021-04-29 15:26:45,723 fail2ban.actions [9490]: NOTICE [postfix-sasl] Ban 212.70.149.71 2021-04-29 15:26:45,725 fail2ban.filter [9490]: INFO [recidive] Found 212.70.149.71 - 2021-04-29 15:26:45 2021-04-29 15:36:46,428 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 2021-04-29 15:37:55,487 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:37:55 2021-04-29 15:39:30,015 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:39:30 2021-04-29 15:41:07,249 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:41:07 2021-04-29 15:41:07,353 fail2ban.actions [9490]: NOTICE [postfix-sasl] Ban 212.70.149.71 2021-04-29 15:41:07,504 fail2ban.filter [9490]: INFO [recidive] Found 212.70.149.71 - 2021-04-29 15:41:07 2021-04-29 15:51:08,059 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 2021-04-29 15:52:24,290 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:52:24 2021-04-29 15:53:59,024 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:53:59 2021-04-29 15:55:34,133 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 15:55:34 2021-04-29 15:55:34,363 fail2ban.actions [9490]: NOTICE [postfix-sasl] Ban 212.70.149.71 2021-04-29 15:55:34,365 fail2ban.filter [9490]: INFO [recidive] Found 212.70.149.71 - 2021-04-29 15:55:34 2021-04-29 16:05:35,071 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 2021-04-29 16:06:46,085 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:06:46 2021-04-29 16:08:21,469 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:08:21 2021-04-29 16:09:56,179 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:09:56 2021-04-29 16:09:56,590 fail2ban.actions [9490]: NOTICE [postfix-sasl] Ban 212.70.149.71 2021-04-29 16:09:56,592 fail2ban.filter [9490]: INFO [recidive] Found 212.70.149.71 - 2021-04-29 16:09:56 2021-04-29 16:19:57,292 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 2021-04-29 16:21:04,425 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:21:04 2021-04-29 16:24:16,177 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:24:16 2021-04-29 16:25:53,013 fail2ban.filter [9490]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-29 16:25:53 2021-04-29 16:25:53,712 fail2ban.actions [9490]: NOTICE [postfix-sasl] Ban 212.70.149.71 2021-04-29 16:25:53,898 fail2ban.filter [9490]: INFO [recidive] Found 212.70.149.71 - 2021-04-29 16:25:53 2021-04-29 16:25:53,967 fail2ban.actions [9490]: NOTICE [recidive] Ban 212.70.149.71 2021-04-29 16:35:54,410 fail2ban.actions [9490]: NOTICE [postfix-sasl] Unban 212.70.149.71 @Jesse Norell wrote: This is enlightening. I was sure all traffic from banned IP was always blocked. I think that explains my confusion I described in #1, some traffic got through despite the ban. I still do not understand why unban did not happen, though. I did the port addition on my test host, I'll test more with different action. Indeed it makes sense to block all traffic from badly behaving IP.
