Good Day: Before following the instructions below, https://www.howtoforge.com/community/threads/permanently-ban-an-ip.79457/ I would like to ask if I would have issues with having different MaxRetry configurations and applying RECIDIVE: My Code Code: [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sshd] enabled = true port = ssh filter = sshd findtime = 600 maxretry = 5 bantime = 3600 The offending IP is not from my group of users. Also, could somebody walk me through a SASL filter setup? Any other recommended filter as well? Note: This server is used only for IMAP and SMTP MAIL for not more than 30 users. We don't use FTP but it doesn't seem bad to leave that filter there. Cheers
Mail users are authenticated by postfix trough dovecot, so failed smtp logins (sasl) should already be covered by the filters. Try if you get a ban when you login with wrong smtp password multiple times.
Thank you Till: I was just reviewing my post before your answer and was going to add the following about the offending IP's Quote" The offending IP is not from my group of users. But it is from a server that I expect to receive mail from directed to my users (server is from another party an it should not be trying to relay with me if that should be the case). My Fail2Ban has been banning two SMTP servers from this party on the same public subnet (different by 1 on the 4th octect / x.x.x.190 and x.x.x.191) with the POSTFIX filter. How should I interpret this. I know the owner of the systems and could contact him if needed. "Un-quote Also, any comments on RECIDIVE? Thanks again.
Different maxretry values for different jails is fine, and is the first thing you would likely change to tune a jail that eg. works fairly well but is a little too sensitive and catches legitimate traffic. I've used recidive (on debian, not ubuntu) and it works nicely, as long as your other jails are tuned decently. (If you're getting frequent matches for your legitimate users, eg. say typing in their password wrong or using wrong settings, then adding recidive will simply get them blocked for a very long time and likely result in a phone call rather than them fixing their config.) Look at /etc/fail2ban/filter.d/postfix.conf to see what log lines will be matched, and grep for their ip addrs in mail.log - that tells you what they're hitting on. You have maxretry=3 for postfix jail, so they get 3 hits in 10 minutes (by default) and they'll be blocked; likely you'll want to relax that a bit, and if you need to you can either ignore those ip addrs for the jail in your fail2ban jail, or you could exempt them from whatever check(s) they're hitting in postfix config if needed beyond that. From jail.local on a server here: Code: [postfix] enabled = true port = smtp,465,submission maxretry = 90 findtime = 10800 bantime = 14400
Good Day Jesse: Thank you for your comments. I believe I have found the problem and is related to an older post of mine where you helped me in solving a HELO-CHECK issue https://www.howtoforge.com/communit...strictions-with-ispconfig3.80384/#post-381659 After your feedback, and as mentioned on that post, I went and gave PERMIT for the banner check of this particular IP's, but for some reason the /etc/postfix/helo_acces configuration went back to default a couple of days ago. Maybe an update of software!. I did run an update for ISPCONFIG a couple of days ago but Im not sure if this was what made the change. Could a POSTFIX update change this configuration? I need to make more tests. For the time being, Fail2Ban stopped banning the IP. Thanks again.
Ispconfig update rewrites your Postfix config. For example : Code: inet_protocols = ipv4 will be at each update replaced with Code: inet_protocols = all
Thank you Electronico. Should I revise my complete default ISPCONFIG PERECT SERVER configuration INSTALL for other changes? Cheers
You have modified parameters after ISPConfig install, it's up to you to keep them alive after each update.
That was it, you need to Code: wget -O /usr/local/ispconfig/server/conf-custom/install/helo_access.master https://git.ispconfig.org/ispconfig/ispconfig3/raw/master/install/tpl/helo_access.master and make your same changes to /usr/local/ispconfig/server/conf-custom/install/helo_access.master. Same procedure goes for other config files, eg. debian_postfix.conf.master will preserve your postfix main.cf changes. Beware that when you update ispconfig, you will need to check for changes to those .master files yourself; there are occasionally changes within a point release (eg. 3.1.12 -> 3.1.13), but there are almost guaranteed to be changes in larger releases (3.1.x -> 3.2.x) which you'll need to determine and integrate (or just copy and modify the .master again).
