1

Topic: fail2ban blocked IPs

Hi,

I had a client who has an email account on my server who couldn't log in. i was blaming his setup but at the end i found out his IP was on the fail2ban-dovecot block list in iptables.
I removed it from there with
iptables -L --line-numbers
and then
iptables -D fail2ban-dovecot 1

then saved iptables but it came back after a while.

i now removed dovecot.log cause i thought maybe fail2ban is reading dovecot.log and recreates the block...

is there anything else i can do to be sure he is not blocked anymore?
is there any way to see if there are any IP's on the iptables blocklist?
is there a way to control that in iRedmail pro backen? (haven't found any way so o guess not?)
maybe the possibliity for a notification in case of blocked IP's would be good?

thanks!
Michael

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro? YES
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: fail2ban blocked IPs

*) Don't remove /var/log/dovecot.log. Please create it again.
*) You should figure out why this client was blocked first. Please check dovecot log file to see what happened before it was blocked. Any duplicate error messages? Then compare the error message with Fail2ban filters defined in /etc/fail2ban/filter.d/dovecot.iredmail.conf.

*) You can update /etc/fail2ban/jail.local like below to get a email notification when one IP was banned:

[postfix-iredmail]
...
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=Postfix, dest=user@domaim.com, sender=root]
...

With the 'sendmail[...]' line, Fail2ban will notify you via email.

3

Re: fail2ban blocked IPs

Yes i know i didn't remove dovecot.log but cleared it. sorry for my wrong explanation of what i did.

the client was blocked cause of too many unsuccessful authentication requests - probably cause when he set up he had wrong local setup or he used the wrong credentials or missed some switch in his configuration - and then he left it unchanged so his mail program would try to login/authenticate a lot of times unsuccessfully...
he said though after 4-5 hours, messages would eventually even arrive.. strange behaviour if he was blocked all the time in iptables...

your tip to modify /etc/fail2ban/filter.d/dovecot.iredmail.conf:
there isn't much content in there and i wouldn't want to modify that - it just has all the filters that are enabled but i don't want to switch off a filter - just restart the error tracking for that IP...
So far, after 3 hours now it seems the IP is not back on the list. lets see what happens when the user tries to log in again.


I updated jail.local to get an email notification - thanks for that tip.

4

Re: fail2ban blocked IPs

It seems that i have frequent blocks on various iP's - not sure what to do to avoid normal users from accessing the server....
it seems that it is always due to 5 wrong authentication attemts...

should i raise that number somehow?

5

Re: fail2ban blocked IPs

You should figure out why this client was blocked. Please check dovecot log file to see what happened before it was blocked. Any duplicate error messages? Then compare the error message with Fail2ban filters defined in /etc/fail2ban/filter.d/dovecot.iredmail.conf, you can consider removing this filter temporarily or permanently.

6

Re: fail2ban blocked IPs

ZhangHuangbin wrote:

*) You can update /etc/fail2ban/jail.local like below to get a email notification when one IP was banned:

[postfix-iredmail]
...
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=Postfix, dest=user@domaim.com, sender=root]
...

With the 'sendmail[...]' line, Fail2ban will notify you via email.

Hi ZhangHuangbin,

How can I make this setting in fail2ban (in CentOS 7), to be notified by email when an IP is banned?

My config /etc/fail2ban/jail.local is different:

[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

7

Re: fail2ban blocked IPs

gilvancn wrote:

My config /etc/fail2ban/jail.local is different:

You should add it in files under /etc/fail2ban/jail.d/