Code: Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136 Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136] Sep 10 08:36:02 server1 dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136] Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136 Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136] Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136] Question-1 whereas 117.247.67.136 is my own ip and I never tried with this kind of passwords. besides server1.mywebsolutions.co.in does not resolve to address 117.247.67.136., what this means. when I check the dns propagation it properly resolves to this IP. Question-2 Fail2ban is banning my own IP, mean this same ip 117.247.67.136. Even though I have added this in the list of ignoreip in jail.conf like Code: # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 117.247.67.136 I have run the command sudo ip route del unreachable 117.247.67.136 but still looks like that the same is not taking the effect. where else I should check that my ip is banned.
Question-1 117.247.67.136 looks like a broadband IP, isn't it? Besides the reverse pointer is not set, thus the IP doesn't resolve properly. Question-2 fail2ban uses iptables to ban the IP.
Hi HSorgYves - reverse pointer is set, the ip do resolve to server1.mywebsolutions.co.in whatever method fail2ban uses, but if the IP is white listed, why it should be banned?
Do you have this line in the /etc/hosts file of the server? 117.247.67.136 server1.mywebsolutions.co.in If not, add it.
Yes it is not there in /etc/hosts file. it reads like this: 127.0.0.1 localhost.localdomain localhost 192.168.0.10 server1.mywebsolutions.co.in server1 so I add another line like 117.247.67.136 server1.mywebsolutions.co.in
I still wondering why the IP, which is included in - ignore IP directive is banned? and how some one trying with a password from my own IP, is the server compromised in any way?
fail2ban is still banning my ip; 017-09-12 05:15:01,976 fail2ban.actions: WARNING [sasl] Ban 117.247.67.136 I have to run two commands to remove the IP from ban status: sudo fail2ban-client get fail2ban actionunban 117.247.67.136 sudo ip route del unreachable 117.247.67.136
I guess a problem in your case might be that the system seems to be behind a router, right? So all traffic that fail2ban sees comes probably from the internal IP of the router and not from the original IP.
It is true that internal ip is 192.168.0.2 and server ip 192.168.0.10.(Internal) and WAN IP for both the system is 117.247.67.136 but if fail2ban sees internal ip 192.168.02, it should ban 192.168.0.2, but accessing from that ip there is no problem. it is only the WAN IP which is getting banned. moreover the log which shows SASL ban form ip with seemingly password failure, I haven't tried any such password from IP.
Please see my first post in this thread: I am pasting that again here this line: Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Code: Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136 Sep 10 08:36:02 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136] Sep 10 08:36:02 server1 dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136] Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: warning: hostname server1.mywebsolutions.co.in does not resolve to address 117.247.67.136 Sep 10 08:36:04 server1 postfix/submission/smtpd[8407]: connect from unknown[117.247.67.136] Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: warning: unknown[117.247.67.136]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 10 08:36:10 server1 postfix/submission/smtpd[8407]: disconnect from unknown[117.247.67.136]
I've seen your first post and it does not contain any passwords. Did you google for the error message? http://www.ericshalov.com/2014/12/03/what-does-ugfzc3dvcmq6-mean/
And regarding ignoreip, you added it in the [DEFAULT] sections of the jail.conf file? Did you try to reboot the server?
I am really sorry Till, but I thought that "UGFzc3dvcmQ6" is a password. I read the link you have given. what I understand that if someone tries from say Roundcube imap client, it will show my server IP instead of the client IP and the string only says password failure and it is not an actual password. Secondly the ignore IP is listed in the [default section] like this: Code: # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. Jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 117.247.67.136 Yes I have restarted the server two or three times after that. The contents of jail.local are like this: Code: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.0.1 117.67.247.136 103.46.240.33 27.58.158.237 banaction = route