Mail log SASL login failure from my own IP

Code:

Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136
Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136]
Sep 10 08:36:02 server1 dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136]
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136]
Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136]

Question-1
whereas 117.247.67.136 is my own ip and I never tried with this kind of passwords.
besides server1.mywebsolutions.co.in does not resolve to address 117.247.67.136., what this means. when I check the dns propagation it properly resolves to this IP.
Question-2
Fail2ban is banning my own IP, mean this same ip 117.247.67.136. Even though I have added this in the list of ignoreip in jail.conf like

Code:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 117.247.67.136

I have run the command
sudo ip route del unreachable 117.247.67.136

but still looks like that the same is not taking the effect. where else I should check that my ip is banned.

 

Question-1
117.247.67.136 looks like a broadband IP, isn't it? Besides the reverse pointer is not set, thus the IP doesn't resolve properly.
Question-2
fail2ban uses iptables to ban the IP.

 

Hi HSorgYves -

reverse pointer is set, the ip do resolve to server1.mywebsolutions.co.in

whatever method fail2ban uses, but if the IP is white listed, why it should be banned?

 

Yes it is not there in /etc/hosts file.
it reads like this:
127.0.0.1 localhost.localdomain localhost
192.168.0.10 server1.mywebsolutions.co.in server1

so I add another line like
117.247.67.136 server1.mywebsolutions.co.in

 

I still wondering why the IP, which is included in - ignore IP directive is banned?
and how some one trying with a password from my own IP, is the server compromised in any way?

 

Yes. I did restart fail2ban. after adding ignore IP.

 

fail2ban is still banning my ip;
017-09-12 05:15:01,976 fail2ban.actions: WARNING [sasl] Ban 117.247.67.136

I have to run two commands to remove the IP from ban status:
sudo fail2ban-client get fail2ban actionunban 117.247.67.136
sudo ip route del unreachable 117.247.67.136

 

It is true that internal ip is 192.168.0.2 and server ip 192.168.0.10.(Internal)
and WAN IP for both the system is 117.247.67.136
but if fail2ban sees internal ip 192.168.02, it should ban 192.168.0.2, but accessing from that ip there is no problem.
it is only the WAN IP which is getting banned.
moreover the log which shows SASL ban form ip with seemingly password failure, I haven't tried any such password from IP.

 

Please see my first post in this thread:
I am pasting that again here
this line:
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Code:

Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136
Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136]
Sep 10 08:36:02 server1 dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136]
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136
Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136]
Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136]

 

I am really sorry Till, but I thought that "UGFzc3dvcmQ6" is a password.
I read the link you have given. what I understand that if someone tries from say Roundcube imap client, it will show my server IP instead of the client IP and the string only says password failure and it is not an actual password.

Secondly the ignore IP is listed in the [default section] like this:

Code:

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
Jail.conf
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 117.247.67.136

Yes I have restarted the server two or three times after that.
The contents of jail.local are like this:

Code:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.1 117.67.247.136 103.46.240.33 27.58.158.237
banaction = route