1 Topic by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Topic: Upgrade and ssh ban forever and fail2ban.log empty

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Downloaded installer
- Linux/BSD distribution name and version: CentOS 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Good evening experts,

It has taken me two weeks, but I have successfully removed myself from Zimbra over to iRedMail.  Thank you for such a fantastic product.  If I may, I have a few questions ...

Upgrade:  Based upon what I just read on these forums, I should have installed iRedMail Easy as it performs the upgrades automatically?  Is that the case?  And if so, can I easily upgrade from the downloaded installed to iRedMail Easy?  Any tutorials available?  I am not an expert so it would have to be a fairly strait forward how-to document.  If I mess anything up my businesses emails could be lost (all 4 years of them).

ssh:  I have fail2ban running on all of my servers and it's a fantastic product, so I was happy to find that it's installed as part of iRedMail.  However, I would prefer that IP addresses that make multiple attempts to ssh in to the server be banned forever.  I added "bantime = 0" to /etc/fail2ban/jail.d/sshd.local and restarted fail2ban.  Not only does this not seem to work but now /var/log/fail2ban.log has been empty since that change.  I have removed that entry and restarted and it's still not working.

fail2ban.log:  As stated above the /var/log/fail2ban.log file is always empty.  I send this file to my email nightly so I can see what is going on with all of my servers.  This is working perfectly on all 5 of my other servers, but not this one.

Please advise.

Respectfully,

Martin

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Upgrade and ssh ban forever and fail2ban.log empty

CotillionGardens wrote:

It has taken me two weeks, but I have successfully removed myself from Zimbra over to iRedMail.  Thank you for such a fantastic product.

Welcome to iRedMail world. smile

CotillionGardens wrote:

Upgrade:  Based upon what I just read on these forums, I should have installed iRedMail Easy as it performs the upgrades automatically?  Is that the case?

with downloadable iRedMail installer, you have to upgrade it by following our upgrade tutorials manually:
https://docs.iredmail.org/iredmail.releases.html

With iRedMail Easy platform, you can just add the ssh key and click the “Upgrade” button to finish the upgrade, no other tech details you need to care about.

Either is ok, depends on your favor. Note: you get one month free trial after signed up to iRedMail Easy platform, after free trial either a monthly or annual subscription is required to use the upgrade / deployment feature, and the ticket support system.

CotillionGardens wrote:

can I easily upgrade from the downloaded installed to iRedMail Easy?  Any tutorials available?

Tutorial here:
https://docs.iredmail.org/migrate.to.iredmail.easy.html

About fail2ban issue, seems weird, please try to turn on debug mode in fail2ban and check its log file.

3 Reply by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

Thank you for all of the information.  After troubleshooting this for hours and then posting here, I continued to bang on it until I found out that I hadn't use the correct bantime command in the /etc/fail2ban/jail.d/sshd.local.  It should have been bantime = -1 not 0.

Upon restarting fail2ban the /var/log/fail2ban.log file was once again working as it should.  Whew!

I will definitely read through all of the links that you have provided.

By the way ... Is there a way to add a new user via an automated PHP script?  I have another dot com business that is still running a Zimbra instance and I'm eager to get off of it.  But I need a way to add users via a PHP script if at all possible.

Respectfully,

Martin

4 Reply by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

Just bought you a cup of coffee.

Receipt number: 6W927943UP139452L

Martin

5 Reply by CotillionGardens (edited by CotillionGardens 2021-04-15 16:48:31)

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

One more question please ...

The ClamAV antivirus database files are not being updated.  Was the clamav-freshclam.service not enabled by design?  Should we be using a cron job and just run freshclam ourselves?

Thank you again.

Martin

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Upgrade and ssh ban forever and fail2ban.log empty

On CentOS 7, 8, clamav packages DID not offer “clamav-freshclam” service but use a daily cron job to update database, but new clamav packages remove the cron job and introduces “clamav-freshclam” service.

I should mention this in iRedMail upgrade tutorial. Will fix it soon.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Upgrade and ssh ban forever and fail2ban.log empty

CotillionGardens wrote:

Is there a way to add a new user via an automated PHP script?

you can find the SQL commands used to create new accounts here: https://docs.iredmail.org/

The write your own PHP script to execute the commands.

CotillionGardens wrote:

Just bought you a cup of coffee.

thank you very much. smile

8 Reply by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

Apologies for continuing to have fail2ban.log issues ... It appears that after logrotate the fail2ban.log no longer works.  I have once again tried restarting fail2ban and still no updates to the log file.  Here are the settings that I use on all of my other CentOS 7 and CentOS 8 servers ...

File /etc/logrotate.d/fail2ban:

/var/log/fail2ban.log {
    daily
    rotate 7
    missingok
    nocompress
    create 0600 root root
    postrotate
      /usr/bin/fail2ban-client flushlogs  1>/dev/null || true
    endscript
}

Suggestions please?  And I'm not even sure that fail2ban is even working.  You should see my server log.  It's a nightmare ...

Failed logins from:
   2.50.139.116: 19 times
   5.188.206.98: 1 time
   5.188.206.100: 1 time
   5.188.206.101: 1 time
   23.129.64.244: 1 time
   36.72.214.140: 13 times
   81.161.63.253: 3 times
   113.23.25.99: 19 times
   182.18.217.137: 9 times
   187.189.153.13 (fixed-187-189-153-13.totalplay.net): 18 times
   189.27.199.133 (189.27.199.133.dynamic.adsl.gvt.net.br): 19 times
   205.185.117.149 (tor-exit.greektor.net): 1 time
   206.190.239.224 (206.190.239.224.16clouds.com): 37 times
   211.36.141.104: 33 times
   211.36.141.132: 33 times

Illegal users from:
   2.50.139.116: 250 times
   5.151.118.158: 1 time
   5.188.206.54: 2 times
   5.188.206.98: 1 time
   5.188.206.99: 2 times
   5.188.206.100: 1 time
   5.188.206.101: 1 time
   5.188.206.102: 2 times
   36.72.214.140: 265 times
   45.153.160.132: 1 time
   65.49.20.67 (scan-18.shadowserver.org): 1 time
   88.127.172.137 (9lm33-1_migr-88-127-172-137.fbx.proxad.net): 2 times
   113.23.25.99: 158 times
   178.20.55.18 (marcuse-2.nos-oignons.net): 1 time
   182.18.217.137: 147 times
   185.220.102.6 (185-220-102-6.torservers.net): 1 time
   187.189.153.13 (fixed-187-189-153-13.totalplay.net): 271 times
   189.27.199.133 (189.27.199.133.dynamic.adsl.gvt.net.br): 235 times
   194.165.16.89: 2 times
   206.190.239.224 (206.190.239.224.16clouds.com): 34 times
   209.127.17.234: 1 time
   211.36.141.104: 32 times
   211.36.141.132: 32 times

It should never be allowing more than 5 attempts based upon the settings that I see in the .local files.  I'm desperate to secure this server.  As was requested in the documentation, I started with a fresh virtual machine, didn't add anything at all, and ran the iRedMail install.

I'd very much appreciate any suggestions.

Respectfully,

Martin

9 Reply by montanelli

  • montanelli
  • Member
  • Offline
  • Registered: 2021-03-23
  • Posts: 48

Re: Upgrade and ssh ban forever and fail2ban.log empty

Hi Martin,

A little tangental:

I've long blocked 5.188.206.0/24 on my perimeter. If you can do it on your router or in IP tables, do it. It won't make you much safer, but it will keep your logs smaller. They haven't stopped for months.

I was on CentOS for a very long time. Since 5 maybe. I never, ever got clam to work well on a dozen servers. It's not maintained well. It is better maintained in Fedora, but still was problematic. I didn't run mail on CentOS. I did rely on rkhunter for some comfort, but that is no help to email. Fail2ban worked well on CentOS with iptables.

I just started switching to Debian/Ubuntu and derivatives. Apt and AppArmor vs SELinux as well as UFW are the big differences and there's not a big learning curve there. IRedMail went on to Ubuntu LTS 20.04 so easily I thought I must have done something wrong.

10 Reply by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

montanelli wrote:

I was on CentOS for a very long time. Since 5 maybe. I never, ever got clam to work well on a dozen servers. It's not maintained well. It is better maintained in Fedora, but still was problematic. I didn't run mail on CentOS.

Thank you for all of the information.  Actually the latest version of ClamAV (as installed by iRedMail) seems to have some good improvements.  It actually installed a service named clamav-freshclam.service but was not active.

The moment I issued ...

systemctl enable clamav-freshclam.service
systemctl start clamav-freshclam.service

I looked through the log and it had immediately updated all of it's database files.  It appears to check approximately every 3 hours for updates.  I like it and think it will do the trick.  Just thought I would share.

Martin

11 Reply by CotillionGardens

  • CotillionGardens
  • Member
  • Offline
  • Registered: 2021-04-15
  • Posts: 7

Re: Upgrade and ssh ban forever and fail2ban.log empty

Hi ZhangHuangbin,

I am not sure how this is happening, but I'm open for any ideas that you may have.  I just found out that when the file2ban log file rotates, it's using the current date instead of yesterdays.

So instead of creating /var/log/fail2ban.log-20210414 is created /var/log/fail2ban.log-20210415 and that file is EXACTLY where it's currently sending log entries to.  I'm stumped.

Anyone with a suggestion?

Respectfully,

Martin