1 Topic by dorpha (edited by dorpha 2015-03-02 21:37:16)

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Topic: fail2log's jail not functioning

======== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue:
====

We are using SOGo, and no Roundcube is installed.

Our fail2ban service works properly but something is preventing the jail getting read:
(no idea where this fail2ban-default setting comes from)

 14:55:36,600 fail2ban.server : INFO   Stopping all jails
 14:55:36,792 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' stopped
 14:55:37,786 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -j fail2ban-default
iptables -F fail2ban-default
iptables -X fail2ban-default returned 100
 14:55:37,788 fail2ban.jail   : INFO   Jail 'sshd' stopped
 14:55:38,685 fail2ban.jail   : INFO   Jail 'postfix-iredmail' stopped
 14:55:38,786 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' stopped
 14:55:39,684 fail2ban.jail   : INFO   Jail 'sshd-ddos' stopped
 14:55:39,697 fail2ban.server : INFO   Exiting Fail2ban

fail2ban status:

# service fail2ban status
 * Status of authentication failure monitor                                                                                                            
*  fail2ban is running <--- no jails listed

iptables -n -L INPUT | grep -q fail2ban-ssh gives nothing:

# iptables -n -L INPUT | grep -q fail2ban-ssh
#

and here is the jail.local file:

# Refer to /etc/fail2ban/jail.conf for more examples.
[DEFAULT]
maxretry    = 5
# time is in seconds. 3600 = 1 hour
findtime    = 300
bantime     = 3600
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[sshd]
enabled     = true
filter      = sshd
action      = iptables-allports
logpath     = /var/log/auth.log

[sshd-ddos]
enabled     = true
filter      = sshd-ddos
action      = iptables-allports
logpath     = /var/log/auth.log

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/mail.log
findtime    = 3600

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/dovecot.log

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#              sendmail[name=Postfix, dest=root, sender=fail2ban@localhost]
logpath     = /var/log/mail.log

Any clues or suggestions we could diagnose the problem?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: fail2log's jail not functioning

*) Do you have any 'fail2ban-*' chains in iptables? You can check it with 'iptables -L -n'.
*) looks like iptables on Ubuntu doesn't supports multiports like 'iptables ... -m multiports --dports xx,xx,xx ...'. You can try to 'iptables-multiport' by 'iptables' (with one port number) in jail.local. If you still want to block multiple ports, use multiple 'iptables[xxx]' in jail.local instead.

3 Reply by dorpha

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: fail2log's jail not functioning

ZhangHuangbin wrote:

*) Do you have any 'fail2ban-*' chains in iptables? You can check it with 'iptables -L -n'.

No, there's no fail2ban* chains exist:

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ZhangHuangbin wrote:

*) looks like iptables on Ubuntu doesn't supports multiports like 'iptables ... -m multiports --dports xx,xx,xx ...'. You can try to 'iptables-multiport' by 'iptables' (with one port number) in jail.local. If you still want to block multiple ports, use multiple 'iptables[xxx]' in jail.local instead.

I think Ubuntu support multiports. Did you find anything specifically pointing out it's not available in Ubuntu?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: fail2log's jail not functioning

dorpha wrote:

I think Ubuntu support multiports. Did you find anything specifically pointing out it's not available in Ubuntu?

You can verify it with command like below:

# iptables -A INPUT -p tcp -m multiports --dports 9999 -j DROP