Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] fail2ban banning too much

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
ychaouche
Posts: 87
Joined: 2014-12-11 09:45

[SOLVED] fail2ban banning too much

#1 Post by ychaouche »

Hi

I noticed that some IPs are trying to connect to my IMAP/SMTP server (SASL) many times but in a larger time frame than the usual 5-15 minutes window, so I decided to have two jails for these services : one jail for the small time frame that will look for 3 failures in 5 minutes and one for the large time frame (a day) that would look for 10 failures. Here's my jail.local, in particular see dovecot and dovecot-long

Code: Select all

root@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local
[DEFAULT]
action = shorewall
ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16

# ychaouche
# le default est à 10 minutes,
# je l'ai mis à 1 journée.
bantime = 86400

[postfix-sasl]
enabled  = true
port     = all
filter   = postfix-sasl
#action   = shorewall
logpath  = /var/log/mail.warn
maxretry = 3
findtime = 600

[postfix]
enabled  = true
port     = all
filter   = postfix
logpath  = /var/log/mail.log

[dovecot]
enabled = true
port    = all
filter  = dovecot
logpath = /var/log/dovecot.log

[dovecot-long]
findtime   = 86400
maxretries = 10
# 5 days
bantime    = 432000 
enabled    = true
port       = all
filter     = dovecot
logpath    = /var/log/dovecot.log

[ssh]
port = all
root@messagerie[10.10.10.19] ~ # 
Here are my default values from jail.conf (minus comments)

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 600
findtime = 600
maxretry = 3


What I have found out is that fail2ban is banning some IPs that have less than the required maxretries (10), for example this IP

Code: Select all

root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/fail2ban.log
2017-08-23 15:33:54,153 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
2017-08-23 15:40:04,878 fail2ban.actions[10631]: WARNING [dovecot-long] Unban 113.195.181.126
2017-08-23 15:58:59,699 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
root@messagerie[10.10.10.19] ~ # 
Has been banned although it has only 5 spaced attempts (spaced on 4 days)

Code: Select all

root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log | wc -l
5
root@messagerie[10.10.10.19] ~ #
Here's the grep on the IP address alone if you wish to investage more

Code: Select all

root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:41 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=nZ5jZ1lXiwBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=24715
Aug 22 16:39:44 auth-worker(10354): Debug: sql(blanc_antenne@mydomain.tld,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('blanc_antenne@mydomain.tld')
Aug 22 16:39:44 auth-worker(10354): Info: sql(blanc_antenne@mydomain.tld,113.195.181.126): unknown user
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:21 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=ilDF4ltX4gBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=22498
Aug 22 19:37:24 auth-worker(10354): Debug: sql(a.chaouche,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('a.chaouche')
Aug 22 19:37:24 auth-worker(10354): Info: sql(a.chaouche,113.195.181.126): unknown user
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:23 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=WTL7qWBXzgBxw7V+        lip=10.10.10.19 rip=113.195.181.126     lport=993       rport=50638
Aug 23 01:19:27 auth-worker(10354): Debug: sql(aine3,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('aine3')
Aug 23 01:19:27 auth-worker(10354): Info: sql(aine3,113.195.181.126): unknown user
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ #

Any idea on why fail2ban is doing this ?

ychaouche
Posts: 87
Joined: 2014-12-11 09:45

Re: [SOLVED] fail2ban banning too much

#2 Post by ychaouche »

Can't investigate this anymore anyway, config has changed.

Post Reply