fail2ban banning too much

Kernels & Hardware, configuring network, installing services

fail2ban banning too much

Postby ychaouche » 2017-08-23 16:13

Hi

I noticed that some IPs are trying to connect to my IMAP/SMTP server (SASL) many times but in a larger time frame than the usual 5-15 minutes window, so I decided to have two jails for these services : one jail for the small time frame that will look for 3 failures in 5 minutes and one for the large time frame (a day) that would look for 10 failures. Here's my jail.local, in particular see dovecot and dovecot-long

Code: Select all
root@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local
[DEFAULT]
action = shorewall
ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16

# ychaouche
# le default est à 10 minutes,
# je l'ai mis à 1 journée.
bantime = 86400

[postfix-sasl]
enabled  = true
port     = all
filter   = postfix-sasl
#action   = shorewall
logpath  = /var/log/mail.warn
maxretry = 3
findtime = 600

[postfix]
enabled  = true
port     = all
filter   = postfix
logpath  = /var/log/mail.log

[dovecot]
enabled = true
port    = all
filter  = dovecot
logpath = /var/log/dovecot.log

[dovecot-long]
findtime   = 86400
maxretries = 10
# 5 days
bantime    = 432000
enabled    = true
port       = all
filter     = dovecot
logpath    = /var/log/dovecot.log

[ssh]
port = all
root@messagerie[10.10.10.19] ~ #


Here are my default values from jail.conf (minus comments)

Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 600
findtime = 600
maxretry = 3




What I have found out is that fail2ban is banning some IPs that have less than the required maxretries (10), for example this IP

Code: Select all
root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/fail2ban.log
2017-08-23 15:33:54,153 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
2017-08-23 15:40:04,878 fail2ban.actions[10631]: WARNING [dovecot-long] Unban 113.195.181.126
2017-08-23 15:58:59,699 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
root@messagerie[10.10.10.19] ~ #


Has been banned although it has only 5 spaced attempts (spaced on 4 days)

Code: Select all
root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log | wc -l
5
root@messagerie[10.10.10.19] ~ #


Here's the grep on the IP address alone if you wish to investage more

Code: Select all
root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:41 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=nZ5jZ1lXiwBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=24715
Aug 22 16:39:44 auth-worker(10354): Debug: sql(blanc_antenne@mydomain.tld,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('blanc_antenne@mydomain.tld')
Aug 22 16:39:44 auth-worker(10354): Info: sql(blanc_antenne@mydomain.tld,113.195.181.126): unknown user
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:21 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=ilDF4ltX4gBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=22498
Aug 22 19:37:24 auth-worker(10354): Debug: sql(a.chaouche,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('a.chaouche')
Aug 22 19:37:24 auth-worker(10354): Info: sql(a.chaouche,113.195.181.126): unknown user
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:23 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=WTL7qWBXzgBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=50638
Aug 23 01:19:27 auth-worker(10354): Debug: sql(aine3,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('aine3')
Aug 23 01:19:27 auth-worker(10354): Info: sql(aine3,113.195.181.126): unknown user
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ #



Any idea on why fail2ban is doing this ?
ychaouche
 
Posts: 54
Joined: 2014-12-11 09:45

Return to System configuration

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable