1 Topic by agroshong

  • agroshong
  • Member
  • Offline
  • Registered: 2016-03-25
  • Posts: 36

Topic: Fail2ban not stopping SSH Connections

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: CentOS release 6.7 (Final)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Web server (Apache or Nginx):    Apache
- Manage mail accounts with iRedAdmin-Pro?  (Free Version)   
- Related log if you're reporting an issue:
====

Hello

I have noticed that I am getting a lot of login attempts and these addresses are not being blocked by Fail2ban, I have restarted my iptables and fail2ban services, but these login attempts are still not being blocked. please find below my messages log after the fail2ban restart, as well as the output from "iptables -L -n"

Any advice would be appreciated.

/var/log/messages
***********************
Apr 12 12:51:24 sv2 fail2ban.server[23122]: INFO Stopping all jails
Apr 12 12:51:25 sv2 fail2ban.jail[23122]: INFO Jail 'dovecot-iredmail' stopped
Apr 12 12:51:26 sv2 fail2ban.jail[23122]: INFO Jail 'roundcube-iredmail' stopped
Apr 12 12:51:27 sv2 fail2ban.action[23122]: ERROR iptables  -D INPUT -p tcp -j f2b-default#012iptables  -F f2b-default#012iptables  -X f2b-default -- stdout: ''
Apr 12 12:51:27 sv2 fail2ban.action[23122]: ERROR iptables  -D INPUT -p tcp -j f2b-default#012iptables  -F f2b-default#012iptables  -X f2b-default -- stderr: 'iptables: Too many links.\n'
Apr 12 12:51:27 sv2 fail2ban.action[23122]: ERROR iptables  -D INPUT -p tcp -j f2b-default#012iptables  -F f2b-default#012iptables  -X f2b-default -- returned 1
Apr 12 12:51:27 sv2 fail2ban.actions[23122]: ERROR Failed to stop jail 'sshd' action 'iptables-allports': Error stopping action
Apr 12 12:51:27 sv2 fail2ban.jail[23122]: INFO Jail 'sshd' stopped
Apr 12 12:51:27 sv2 fail2ban.jail[23122]: INFO Jail 'postfix-iredmail' stopped
Apr 12 12:51:28 sv2 fail2ban.jail[23122]: INFO Jail 'sshd-ddos' stopped
Apr 12 12:51:28 sv2 fail2ban.server[23122]: INFO Exiting Fail2ban
Apr 12 12:51:28 sv2 fail2ban.server[23205]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.3
Apr 12 12:51:28 sv2 fail2ban.database[23205]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Apr 12 12:51:28 sv2 fail2ban.jail[23205]: INFO Creating new jail 'sshd'
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Jail 'sshd' uses pyinotify
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Initiated 'pyinotify' backend
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Added logfile = /var/log/secure
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set maxRetry = 5
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.actions[23205]: INFO Set banTime = 7200
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set findtime = 3600
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set maxlines = 10
Apr 12 12:51:29 sv2 fail2ban.server[23205]: INFO Jail sshd is not a JournalFilter instance
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Creating new jail 'sshd-ddos'
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Jail 'sshd-ddos' uses pyinotify
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Initiated 'pyinotify' backend
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Added logfile = /var/log/secure
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set maxRetry = 5
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.actions[23205]: INFO Set banTime = 7200
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set findtime = 3600
Apr 12 12:51:29 sv2 fail2ban.server[23205]: INFO Jail sshd-ddos is not a JournalFilter instance
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Creating new jail 'roundcube-iredmail'
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Jail 'roundcube-iredmail' uses pyinotify
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Initiated 'pyinotify' backend
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Added logfile = /var/log/maillog
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set maxRetry = 5
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.actions[23205]: INFO Set banTime = 7200
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set findtime = 3600
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Creating new jail 'dovecot-iredmail'
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Jail 'dovecot-iredmail' uses pyinotify
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:29 sv2 fail2ban.jail[23205]: INFO Initiated 'pyinotify' backend
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Added logfile = /var/log/dovecot.log
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set maxRetry = 5
Apr 12 12:51:29 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:30 sv2 fail2ban.actions[23205]: INFO Set banTime = 7200
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Set findtime = 3600
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Creating new jail 'postfix-iredmail'
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'postfix-iredmail' uses pyinotify
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Initiated 'pyinotify' backend
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Added logfile = /var/log/maillog
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Set maxRetry = 5
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Set jail log file encoding to UTF-8
Apr 12 12:51:30 sv2 fail2ban.actions[23205]: INFO Set banTime = 7200
Apr 12 12:51:30 sv2 fail2ban.filter[23205]: INFO Set findtime = 3600
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'sshd' started
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'sshd-ddos' started
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'roundcube-iredmail' started
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'dovecot-iredmail' started
Apr 12 12:51:30 sv2 fail2ban.jail[23205]: INFO Jail 'postfix-iredmail' started

iptables -L -n
*****************
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,25,587,110,995,143,993,4190
f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,25,587,110,995,143,993,4190
f2b-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,25,587,110,995,143,993,4190
f2b-default  tcp  --  0.0.0.0/0            0.0.0.0/0
f2b-default  tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-default (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-dovecot (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-roundcube (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,178

Re: Fail2ban not stopping SSH Connections

Open /etc/fail2ban/jail.local, replace 'iptables-allport' for sshd jail by:

action      = iptables-multiport[name=sshd, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]

3 Reply by agroshong

  • agroshong
  • Member
  • Offline
  • Registered: 2016-03-25
  • Posts: 36

Re: Fail2ban not stopping SSH Connections

Thank you

Just a question, do we need to have "ssh" in the ports section?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,178

Re: Fail2ban not stopping SSH Connections

agroshong wrote:

Just a question, do we need to have "ssh" in the ports section?

Sure. [it turns out it's a bug of iRedMail default setting that it doesn't contain "ssh" port, what a shame sad ]