1 (edited by Jochen 2020-05-25 22:54:15)

Topic: Banned Users list

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version:  Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGinx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi,

I like the support of listing IPs banned by fail2ban in iRedAdmin-Pro, but I would like to see another column holding the fqdn of the banned ip. This would help to identify valid users having problems to log in to the server...

Can we have a function to whitelist IPs as well, please?

Thanks for consideration, regards

Jochen

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Banned Users list

Jochen wrote:

I would like to see another column holding the fqdn of the banned ip.

This seems impossible based on my experience:

- not all matched log lines contain a FQDN
- Fail2ban filters (/etc/fail2ban/filter.d/*) don't match/extract FQDN by default

Instead, Fail2ban offers an option to send you full log line which matches the filter. I guess this is enough for you? But inserting untrusted log line into SQL db may cause SQL injection.

Jochen wrote:

Can we have a function to whitelist IPs as well, please?

Fail2ban doesn't query whitelisted IP from SQL db.

3

Re: Banned Users list

ZhangHuangbin wrote:
Jochen wrote:

I would like to see another column holding the fqdn of the banned ip.

This seems impossible based on my experience:

- not all matched log lines contain a FQDN
- Fail2ban filters (/etc/fail2ban/filter.d/*) don't match/extract FQDN by default

Instead, Fail2ban offers an option to send you full log line which matches the filter. I guess this is enough for you? But inserting untrusted log line into SQL db may cause SQL injection.

How do you get the country of an IP? Does Fail2Ban provide this info? You could always query DNS yourself to obtain the FQDN. The cron job running each minute could do this...

Fail2Ban actions offer a way to query whois to get an abuse account to send mail to. Perhaps. this could also be used?

Thanks
Jochen

4

Re: Banned Users list

Jochen wrote:

How do you get the country of an IP? Does Fail2Ban provide this info?

No. the script offered by iRedMail (/usr/local/bin/fail2ban_banned_db) calls "geoiplookup/geoiplookup6" to query the country name (locally).

Jochen wrote:

You could always query DNS yourself to obtain the FQDN. The cron job running each minute could do this...
Fail2Ban actions offer a way to query whois to get an abuse account to send mail to. Perhaps. this could also be used?

It's possible to run command like "dig +short -x <BANNED_IP>" to get the reverse DNS name.

WIth the latest iRedMail development edition, action "banned_db" now stores matched log lines in SQL database and global admin can view the log lines in the "Banned IP Addresses" page in iRedAdmin-Pro. Do we still need the reverse DNS name?

5

Re: Banned Users list

ZhangHuangbin wrote:

WIth the latest iRedMail development edition, action "banned_db" now stores matched log lines in SQL database and global admin can view the log lines in the "Banned IP Addresses" page in iRedAdmin-Pro. Do we still need the reverse DNS name?

Yes, because I would not need to go to the terminal to check the reverse host name

6

Re: Banned Users list

It's implemented in latest development edition of iRedMail and iRedMail Easy, you will get it in next release. smile

7

Re: Banned Users list

ZhangHuangbin wrote:

It's implemented in latest development edition of iRedMail and iRedMail Easy, you will get it in next release. smile

Cool! Thanks smile

8

Re: Banned Users list

Screenshot: https://imgur.com/a/SKegwnp

https://i.imgur.com/xSFdXIS.png

9

Re: Banned Users list

hi Jochen,

Could you try to apply the changes to help test this feature? While download file from github, please replace the (iredmail) version number "1.3" by "master" for now.
https://docs.iredmail.org/upgrade.iredm … n-sql-db_1

We will improve iRedAdmin-Pro to display reverse DNS name later, you will get it soon.

10

Re: Banned Users list

ZhangHuangbin wrote:

Could you try to apply the changes to help test this feature? While download file from github, please replace the (iredmail) version number "1.3" by "master" for now.
https://docs.iredmail.org/upgrade.iredm … n-sql-db_1

I will give it a try over the weekend.

11

Re: Banned Users list

Jochen wrote:
ZhangHuangbin wrote:

Could you try to apply the changes to help test this feature? While download file from github, please replace the (iredmail) version number "1.3" by "master" for now.
https://docs.iredmail.org/upgrade.iredm … n-sql-db_1

I will give it a try over the weekend.

Hi,

works like a charm. RQDNS are showing up in the table as well als quite a number of log lines. I find this idea really interesting, but I guess that needs a bit of formatting in the frontend...

       id: 8985
       ip: 80.211.98.67
    ports: 22
 protocol: tcp
     jail: sshd
 hostname: ####
  country: IT, Italy
timestamp: 2020-06-08 17:38:33
   remove: 0
 failures: 56
 loglines: Jan 22 15:41:16 post sshd[13968]: Invalid user aaron from 80.211.98.67 port 35306 Jan 22 15:41:16 post sshd[13968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 16:42:21 post sshd[25081]: Invalid user yamamoto from 80.211.98.67 port 55850 Jan 22 16:42:22 post sshd[25081]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 16:42:24 post sshd[25081]: Failed password for invalid user yamamoto from 80.211.98.67 port 55850 ssh2 Jan 22 16:45:31 post sshd[25792]: Invalid user seb from 80.211.98.67 port 56924 Jan 22 16:45:31 post sshd[25792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 17:46:13 post sshd[4951]: Invalid user ramesh from 80.211.98.67 port 49264 Jan 22 17:46:13 post sshd[4951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 17:46:16 post sshd[4951]: Failed password for invalid user ramesh from 80.211.98.67 port 49264 ssh2 Jan 22 17:49:28 post sshd[5519]: Invalid user postgres from 80.211.98.67 port 50344 Jan 22 17:49:28 post sshd[5519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 18:50:59 post sshd[16708]: Invalid user liam from 80.211.98.67 port 42634 Jan 22 18:50:59 post sshd[16708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 18:51:01 post sshd[16708]: Failed password for invalid user liam from 80.211.98.67 port 42634 ssh2 Jan 22 18:54:12 post sshd[17236]: Invalid user storage from 80.211.98.67 port 43712 Jan 22 18:54:12 post sshd[17236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 19:54:57 post sshd[28189]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 user=mysql Jan 22 19:54:59 post sshd[28189]: Failed password for mysql from 80.211.98.67 port 36046 ssh2 Jan 22 19:58:08 post sshd[28721]: Invalid user tm from 80.211.98.67 port 37128 Jan 22 19:58:08 post sshd[28721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jan 22 19:58:10 post sshd[28721]: Failed password for invalid user tm from 80.211.98.67 port 37128 ssh2 Mar 18 08:17:39 post sshd[4340]: Invalid user zhangshihao from 80.211.98.67 port 50546 Mar 18 08:17:39 post sshd[4340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Mar 18 08:17:40 post sshd[4340]: Failed password for invalid user zhangshihao from 80.211.98.67 port 50546 ssh2 Mar 18 08:24:54 post sshd[5619]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 user=root Mar 18 08:24:56 post sshd[5619]: Failed password for root from 80.211.98.67 port 58492 ssh2 Mar 18 09:27:51 post sshd[17072]: Invalid user jomar from 80.211.98.67 port 51380 Mar 18 09:27:51 post sshd[17072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Mar 18 09:27:53 post sshd[17072]: Failed password for invalid user jomar from 80.211.98.67 port 51380 ssh2 Mar 18 09:31:38 post sshd[17784]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 user=root Mar 18 09:31:40 post sshd[17784]: Failed password for root from 80.211.98.67 port 36018 ssh2 Mar 22 09:32:13 post sshd[6300]: Invalid user vv from 80.211.98.67 port 46720 Mar 22 09:32:13 post sshd[6300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Mar 22 09:32:15 post sshd[6300]: Failed password for invalid user vv from 80.211.98.67 port 46720 ssh2 Mar 22 09:41:50 post sshd[7932]: Invalid user libuuid from 80.211.98.67 port 48984 Mar 22 09:41:50 post sshd[7932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Mar 22 10:43:46 post sshd[18419]: Invalid user andra from 80.211.98.67 port 34522 Mar 22 10:43:46 post sshd[18419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Mar 22 10:43:48 post sshd[18419]: Failed password for invalid user andra from 80.211.98.67 port 34522 ssh2 Mar 22 10:47:48 post sshd[18935]: Invalid user user9 from 80.211.98.67 port 53034 Mar 22 10:47:48 post sshd[18935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Apr 17 18:24:02 post sshd[27586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 user=root Apr 17 18:24:05 post sshd[27586]: Failed password for root from 80.211.98.67 port 36240 ssh2 Apr 17 18:36:15 post sshd[29761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 user=root Apr 17 18:36:17 post sshd[29761]: Failed password for root from 80.211.98.67 port 54408 ssh2 Apr 17 18:39:48 post sshd[30499]: Invalid user docker from 80.211.98.67 port 33176 Apr 17 18:39:48 post sshd[30499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.98.67 Jun 8 18:54:14 post sshd[3248]: Failed password for root from 80.211.98.67 port 49594 ssh2 Jun 8 19:03:24 post sshd[7850]: Failed password for root from 80.211.98.67 port 56096 ssh2
     rdns: host67-98-211-80.serverdedicati.aruba.it

12

Re: Banned Users list

No formatting in upcoming iRedAdmin-Pro release, maybe next release.

13

Re: Banned Users list

UPDATE: log lines will be formatted in upcoming release, one line line per line.