1 Topic by rschilt

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Topic: pregreet bans not showing in iptables

Hi,

I am seeing plenty of PREGREET bans from my /var/log/syslog eg:

Nov 19 03:56:05 mx1 fail2ban.actions[15372]: NOTICE [postfix-pregreet-iredmail] Ban 88.119.221.196
Nov 19 03:58:11 mx1 fail2ban.actions[15372]: NOTICE [postfix-pregreet-iredmail] Ban 103.8.161.36
Nov 19 04:01:47 mx1 fail2ban.actions[15372]: NOTICE [postfix-pregreet-iredmail] Ban 129.213.228.12
Nov 19 04:11:24 mx1 fail2ban.actions[15372]: NOTICE [postfix-pregreet-iredmail] Ban 119.28.9.225
Nov 19 04:22:47 mx1 fail2ban.actions[15372]: NOTICE [postfix-pregreet-iredmail] Ban 89.96.151.178

However when I show contents of iptables (sudo iptables -n -L) I am not seeing any of these banned IP addresses listed.

Why is this?




==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): v0.9.8
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes v2.9.0
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: pregreet bans not showing in iptables

Try to restart both iptables and fail2ban service, then check again.

3 Reply by rschilt

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Re: pregreet bans not showing in iptables

ZhangHuangbin wrote:

Try to restart both iptables and fail2ban service, then check again.

Same result:

ubuntu@ip-172-30-0-85:~$ sudo service iptables restart
ubuntu@ip-172-30-0-85:~$ sudo service fail2ban restart
ubuntu@ip-172-30-0-85:~$ tail -f -n 10000 /var/log/syslog | egrep ' Ban '
Nov 19 10:03:12 mx1 fail2ban.actions[20231]: NOTICE [postfix-iredmail] Ban 62.141.46.24
Nov 19 10:03:13 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 103.61.198.234
Nov 19 10:03:13 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 103.76.190.210
Nov 19 10:03:14 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 103.8.161.36
Nov 19 10:03:14 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 112.218.231.43
Nov 19 10:03:15 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 119.28.9.225
Nov 19 10:03:16 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 129.213.228.12
Nov 19 10:03:17 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 130.180.99.26
Nov 19 10:03:19 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 177.126.119.190
Nov 19 10:03:21 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 177.126.217.6
Nov 19 10:03:22 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 177.223.13.34
Nov 19 10:03:23 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 177.85.205.84
Nov 19 10:03:24 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 178.205.106.172
Nov 19 10:03:25 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 181.199.129.74
Nov 19 10:03:26 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 181.209.74.74
Nov 19 10:03:27 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 185.30.43.119
Nov 19 10:03:28 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 186.204.70.166
Nov 19 10:03:29 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 196.203.149.25
Nov 19 10:03:31 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 197.210.141.22
Nov 19 10:03:32 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 200.162.162.31
Nov 19 10:03:33 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 201.20.88.130
Nov 19 10:03:34 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 203.76.148.2
Nov 19 10:03:35 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 49.248.77.194
Nov 19 10:03:35 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 85.48.229.2
Nov 19 10:03:36 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 88.119.221.196
Nov 19 10:03:37 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 89.96.151.178
Nov 19 10:03:37 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 91.122.37.92
Nov 19 10:03:38 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 94.177.224.250
Nov 19 10:03:39 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 95.38.211.139
^C
ubuntu@ip-172-30-0-85:~$ sudo iptables -n -L
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-postfix-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587,220,993,110,995
f2b-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
f2b-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
f2b-sshd-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-dovecot (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-postfix (1 references)
target     prot opt source               destination
REJECT     all  --  62.141.46.24         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-roundcube (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-sshd-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
ubuntu@ip-172-30-0-85:~$

4 Reply by rschilt

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Re: pregreet bans not showing in iptables

Hi Zhang,

Furthermore these are the error messages I'm seeing in SYSLOG when attempting to ban an IP address and add to iptables:

Nov 19 11:08:05 mx1 postfix/postscreen[25301]: CONNECT from [177.23.196.127]:60809 to [172.30.0.85]:25
Nov 19 11:08:05 mx1 postfix/dnsblog[25302]: addr 177.23.196.127 listed by domain zen.spamhaus.org as 127.0.0.4
Nov 19 11:08:05 mx1 postfix/dnsblog[25302]: addr 177.23.196.127 listed by domain zen.spamhaus.org as 127.0.0.11
Nov 19 11:08:05 mx1 postfix/dnsblog[25302]: addr 177.23.196.127 listed by domain zen.spamhaus.org as 127.0.0.3
Nov 19 11:08:06 mx1 postfix/dnsblog[25303]: addr 177.23.196.127 listed by domain b.barracudacentral.org as 127.0.0.2
Nov 19 11:08:06 mx1 postfix/postscreen[25301]: PREGREET 44 after 0.7 from [177.23.196.127]:60809: EHLO acesso-196-127.infonetsolucoes.com.br\r\n
Nov 19 11:08:06 mx1 postfix/postscreen[25301]: DNSBL rank 4 for [177.23.196.127]:60809
Nov 19 11:08:06 mx1 fail2ban.filter[20231]: INFO [postfix-pregreet-iredmail] Found 177.23.196.127
Nov 19 11:08:07 mx1 fail2ban.actions[20231]: NOTICE [postfix-pregreet-iredmail] Ban 177.23.196.127
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-pregreet-iredmail[ \t]' -- stdout: b''
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-pregreet-iredmail[ \t]' -- stderr: b''
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-pregreet-iredmail[ \t]' -- returned 1
Nov 19 11:08:07 mx1 fail2ban.CommandAction[20231]: ERROR Invariant check failed. Trying to restore a sane environment
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 0:65535 -j f2b-postfix-pregreet-iredmail#012iptables -w -F f2b-postfix-pregreet-iredmail#012iptables -w -X f2b-postfix-pregreet-iredmail -- stdout: b''
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 0:65535 -j f2b-postfix-pregreet-iredmail#012iptables -w -F f2b-postfix-pregreet-iredmail#012iptables -w -X f2b-postfix-pregreet-iredmail -- stderr: b"iptables v1.6.0: Invalid target name `f2b-postfix-pregreet-iredmail' (28 chars max)\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
Nov 19 11:08:07 mx1 fail2ban.action[20231]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 0:65535 -j f2b-postfix-pregreet-iredmail#012iptables -w -F f2b-postfix-pregreet-iredmail#012iptables -w -X f2b-postfix-pregreet-iredmail -- returned 1
Nov 19 11:08:07 mx1 fail2ban.actions[20231]: ERROR Failed to execute ban jail 'postfix-pregreet-iredmail' action 'iptables-multiport' info 'CallingMap({'failures': 1, 'matches': 'Nov 19 11:08:06 mx1 postfix/postscreen[25301]: PREGREET 44 after 0.7 from [177.23.196.127]:60809: EHLO acesso-196-127.infonetsolucoes.com.br\\r\\n', 'ip': '177.23.196.127', 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f40a32aebf8>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f40a32aee18>, 'time': 1542589687.3732426, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f40a2e50158>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f40a32aed90>})': Error stopping action
:

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: pregreet bans not showing in iptables

Could you show me full content of file /etc/fail2ban/jail.d/postfix-pregreet.local?

I expect "name=postfix" in "action =" line like below, do you have this?

action      = ...[name=postfix, ...]

6 Reply by rschilt

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Re: pregreet bans not showing in iptables

[postfix-pregreet-iredmail]
enabled     = true
filter      = postfix-pregreet.iredmail
logpath     = /var/log/maillog tail
maxretry    = 1
action      = iptables-multiport[name=postfix, port="25", protocol=tcp]
                %(action_mwl)s




ZhangHuangbin wrote:

Could you show me full content of file /etc/fail2ban/jail.d/postfix-pregreet.local?

I expect "name=postfix" in "action =" line like below, do you have this?

action      = ...[name=postfix, ...]

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: pregreet bans not showing in iptables

rschilt wrote:

action      = iptables-multiport[name=postfix, port="25", protocol=tcp]
                %(action_mwl)s

Does it work if you remove your custom action "action_mwl"?

8 Reply by rschilt (edited by rschilt 2018-11-23 16:37:54)

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Re: pregreet bans not showing in iptables

Zhang,

Thats how it was installed by you when you done the iRedAdmin-Pro upgrade for me.

But I will do as you suggest and report back.

Some time later....    YES! It is now banning IP addresses picked up by the pregreet rule.

Any suggestions on how to get the email action back ?

Regards,

Robert

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: pregreet bans not showing in iptables

I really cannot remember what the "action_mwl" is. sad

10 Reply by rschilt

  • rschilt
  • Member
  • Offline
  • Registered: 2017-05-01
  • Posts: 46

Re: pregreet bans not showing in iptables

sad

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: pregreet bans not showing in iptables

Do you have file /etc/fail2ban/action.d/action_mwl.conf?