1

Topic: Fail2Ban working doubts

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: rocky 9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no (free)
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,
I'm in trouble trying to check if all secuity mitigations are working correctly.

First of all, into my fail2ban log I see a lot of message like:
Mar  4 15:13:36 mx fail2ban.filter[836]: INFO [postfix] Found 192.241.199.24 - 2023-03-04 15:13:36
Mar  4 15:17:10 mx fail2ban.filter[836]: INFO [postfix] Found 46.148.40.5 - 2023-03-04 15:17:09
Mar  4 15:17:18 mx fail2ban.filter[836]: INFO [postfix] Found 46.148.40.5 - 2023-03-04 15:17:18
Mar  4 18:03:56 mx fail2ban.filter[836]: INFO [postfix] Found 85.217.144.165 - 2023-03-04 18:03:56

All of them are probably bad sources but I've not found around explanation of what "Found" should means. Found where. Is taken any action?

Those are the related MAILLOG messages (I masquerade my real iRedMail host domain with MYHOSTDOMAN.TLD:

Mar  4 17:58:19 mx clamd[861]: SelfCheck: Database status OK.
Mar  4 18:03:49 mx postfix/postscreen[148961]: CONNECT from [85.217.144.165]:58998 to [10.11.12.175]:25
Mar  4 18:03:49 mx postfix/postscreen[148961]: HANGUP after 0 from [85.217.144.165]:58998 in tests before SMTP handshake
Mar  4 18:03:49 mx postfix/postscreen[148961]: DISCONNECT [85.217.144.165]:58998
Mar  4 18:03:50 mx postfix/postscreen[148961]: CONNECT from [85.217.144.165]:59006 to [10.11.12.175]:25
Mar  4 18:03:56 mx postfix/postscreen[148961]: PASS OLD [85.217.144.165]:59006
Mar  4 18:03:56 mx postfix/smtpd[148967]: connect from unknown[85.217.144.165]
Mar  4 18:03:56 mx postfix/smtpd[148967]: NOQUEUE: reject: RCPT from unknown[85.217.144.165]: 450 4.7.1 <win-clj1b0gq6jp.domain>: Helo command rejected: Host not found; from=<test@MYHOSTDOMAIN.TLC> to=<tanyabarlow19@hotmail.com> proto=SMTP helo=<win-clj1b0gq6jp.domain>
Mar  4 18:03:56 mx postfix/postscreen[148961]: CONNECT from [85.217.144.165]:59868 to [10.11.12.175]:25
Mar  4 18:03:56 mx postfix/postscreen[148961]: PASS OLD [85.217.144.165]:59868
Mar  4 18:03:56 mx postfix/smtpd[148973]: connect from unknown[85.217.144.165]
Mar  4 18:03:56 mx postfix/postscreen[148961]: CONNECT from [85.217.144.165]:59879 to [10.11.12.175]:25
Mar  4 18:03:56 mx postfix/postscreen[148961]: PASS OLD [85.217.144.165]:59879
Mar  4 18:03:56 mx postfix/smtpd[148974]: connect from unknown[85.217.144.165]
Mar  4 18:03:56 mx postfix/postscreen[148961]: CONNECT from [85.217.144.165]:59914 to [10.11.12.175]:25
Mar  4 18:03:56 mx postfix/postscreen[148961]: PASS OLD [85.217.144.165]:59914
Mar  4 18:03:56 mx postfix/smtpd[148975]: connect from unknown[85.217.144.165]
Mar  4 18:03:57 mx postfix/smtpd[148975]: lost connection after EHLO from unknown[85.217.144.165]
Mar  4 18:03:57 mx postfix/smtpd[148974]: lost connection after EHLO from unknown[85.217.144.165]
Mar  4 18:03:57 mx postfix/smtpd[148975]: disconnect from unknown[85.217.144.165] ehlo=1 commands=1
Mar  4 18:03:57 mx postfix/smtpd[148974]: disconnect from unknown[85.217.144.165] ehlo=1 commands=1
Mar  4 18:03:57 mx postfix/smtpd[148973]: lost connection after EHLO from unknown[85.217.144.165]
Mar  4 18:03:57 mx postfix/smtpd[148973]: disconnect from unknown[85.217.144.165] ehlo=1 commands=1
Mar  4 18:04:31 mx postfix/smtpd[148967]: lost connection after RCPT from unknown[85.217.144.165]
Mar  4 18:04:31 mx postfix/smtpd[148967]: disconnect from unknown[85.217.144.165] helo=1 mail=1 rcpt=0/1 commands=2/3
Mar  4 18:07:52 mx postfix/anvil[148969]: statistics: max connection rate 4/60s for (smtpd:85.217.144.165) at Mar  4 18:03:56
Mar  4 18:07:52 mx postfix/anvil[148969]: statistics: max connection count 4 for (smtpd:85.217.144.165) at Mar  4 18:03:56
Mar  4 18:07:52 mx postfix/anvil[148969]: statistics: max cache size 1 at Mar  4 18:03:56
Mar  4 18:08:19 mx clamd[861]: SelfCheck: Database status OK.


Mar  4 15:16:31 mx postfix/smtps/smtpd[141562]: connect from unknown[46.148.40.5]
Mar  4 15:16:38 mx postfix/smtps/smtpd[141562]: Anonymous TLS connection established from unknown[46.148.40.5]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Mar  4 15:17:09 mx postfix/smtps/smtpd[141562]: warning: unknown[46.148.40.5]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar  4 15:17:18 mx postfix/smtps/smtpd[141562]: lost connection after AUTH from unknown[46.148.40.5]
Mar  4 15:17:18 mx postfix/smtps/smtpd[141562]: disconnect from unknown[46.148.40.5] ehlo=1 auth=0/1 rset=1 commands=2/3



At the same time the postfix jail looks as follow:
[root@mx ~]# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     175
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     2
   `- Banned IP list:


Why sometime the banned IP list show me IPs and other time not?

Going forward I see some errors that seems not considered by fail2ban and I really appreciate your thoughts:

DOVECOT LOG:

Mar  4 15:29:29 mx dovecot[1444]: imap-login: Disconnected: Too many invalid commands (no auth attempts in 0 secs): user=<>, rip=167.248.133.189, lip=10.11.12.175, session=<FUTF4xP2pLyn+IW9>
Mar  4 15:29:29 mx dovecot[1444]: imap-login: Disconnected: Too many invalid commands (no auth attempts in 0 secs): user=<>, rip=167.248.133.189, lip=10.11.12.175, session=<RofI4xP2BM+n+IW9>
Mar  4 15:45:25 mx dovecot[1444]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.241.210.21, lip=10.11.12.175, TLS handshaking: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number, session=<l53DHBT2qo/A8dIV>


One last opinion I would like to ak you for: do you think that is better to create a catch-all mailbox for security reasons or have no sense?
In other words, bad senders try to discover existent mailbox, without a catch-all those email where rejected:

Mar  4 16:03:00 mx postfix/postscreen[143660]: CONNECT from [213.87.136.247]:42029 to [10.11.12.175]:25
Mar  4 16:03:04 mx postfix/dnsblog[143661]: warning: dnsblog_query: lookup error for DNS query 247.136.87.213.b.barracudacentral.org: Host or domain name not found. Name service error for name=247.136.87.213.b.barracudacentral.org type=A: Host not found, try again
Mar  4 16:03:06 mx postfix/postscreen[143660]: PASS NEW [213.87.136.247]:42029
Mar  4 16:03:06 mx postfix/smtpd[143676]: warning: hostname 247.gprs.mts.ru does not resolve to address 213.87.136.247
Mar  4 16:03:06 mx postfix/smtpd[143676]: connect from unknown[213.87.136.247]
Mar  4 16:03:08 mx postfix/smtpd[143676]: Anonymous TLS connection established from unknown[213.87.136.247]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Mar  4 16:03:09 mx postfix/smtpd[143676]: NOQUEUE: reject: RCPT from unknown[213.87.136.247]: 550 5.1.1 <xyykzy@MYDOMAIN.TLD>: Recipient address rejected: User unknown; from=<admin@mydieteach.com> to=<xyykzy@MYDOMAIN.TLD> proto=ESMTP helo=<mydieteach.com>
Mar  4 16:03:09 mx postfix/smtpd[143676]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308:
Mar  4 16:03:09 mx postfix/smtpd[143676]: lost connection after RCPT from unknown[213.87.136.247]
Mar  4 16:03:09 mx postfix/smtpd[143676]: disconnect from unknown[213.87.136.247] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5
Mar  4 16:06:29 mx postfix/anvil[143678]: statistics: max connection rate 1/60s for (smtpd:213.87.136.247) at Mar  4 16:03:06
Mar  4 16:06:29 mx postfix/anvil[143678]: statistics: max connection count 1 for (smtpd:213.87.136.247) at Mar  4 16:03:06
Mar  4 16:06:29 mx postfix/anvil[143678]: statistics: max cache size 1 at Mar  4 16:03:06



Thanks a lot

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Fail2Ban working doubts

f2b has several filters, imap/pop3 logins, sshd logins, etc etc

THe jail itself scans the corresponding logfiles in realtiem and takes action depending on the entry, for example if there are 3 failed login attempts from same ip, ip gets band for a period of time, after that it gets removed again (but is still listed under total banned)

if you show a jail, it aswell shows you the current active bans (if there are any)

and honestly, you can masquerade your real host domain as much as you want, that won't prevent anything at all, as long as it is public available, it will be attacked/probed all the time by various sources and you can't prevent this at all, if once a mailserver is found behind a IP, you can be sure that it will be under attack everyday

security by obscurity never worked and will never work

3 (edited by xerse 2023-03-05 06:38:38)

Re: Fail2Ban working doubts

Hi Cthulhu,

I'm sorry I was unable to write down enough clear.

When I say "masquerade" I means that I change real name with MYDMANIN.TLD into pasted logs. to avoid to write it in a public forum.

Regarding the whole message:

1) I'm asking what  "INFO [postfix] Found " means. I also past the postif log related to one of that IP.

2) regarding the Jail status I'm asking why it does not show the banned IPs (in the example there are two banned IPs, but none listed)

3) I also past a dovecot log, because that messages seems not to activate fail2ban

4) I'm asking your opinion in the opportunity to use a catch-all mailbox to avoid bots are able to understand if a mailbox exists or not.

Thanks

4

Re: Fail2Ban working doubts

4: The catch-all alias allows spammers to send unsolicited emails to random email addresses. This creates stress on mail servers, slowing down the mail server's normal functionality, and depending on the availability of ressources, even render them to stop working. It won't prevent spam, it will instead work in a very different way than you thought.

3: if you post dovecot logs, then you need to look at the dovecot jail, not the postfix one, they have different logfiles

2: i explained that, it only shows CURRENTLY banned ips, not IPs that have banned in the past

1: it is exactly what it seems, it is an info that an corresponding entry was found on the shown filter while monitoring the logfiles, nothing more, it wasn't banned because it didn't exceed the maxretry value set to the filter



Another note:

CONNECT from [85.217.144.165]:59879 to [10.11.12.175]:25
Mar  4 18:03:56 mx postfix/postscreen[148961]: PASS OLD [85.217.144.165]:59879

https://www.abuseipdb.com/check/85.217.144.165

Seems like your login credentials have been hacked already, because this shows a successful login from a source which is listed on an abusive database, running your mailserver behind a virtual network won't protect you, when the public ports are forwarded

Your server runs at 10.11.12.175 which is clearly a virtual network address

5 (edited by xerse 2023-03-06 16:49:02)

Re: Fail2Ban working doubts

Thanks a lot Cthulhu for the explanation,

4 Catch-all: OK, clear. Much more better to avoid spam bombing than thinking to avoid that BOTs is able to understand if a mailbox exist or not. May be could have a sense to change the 550 5.1.1 <xyykzy@MYDOMAIN.TLD>: Recipient address rejected: User unknown; But it is OT here.

2 Banned IP: My fault! I'm really sorry. I miss reading Banned with Curretly banned as I got confused by the Total failed before.

3 LOGs: I pasted both dovecot and postfix logs as on both I read something make me suspect that some filter is not working as expected.

Regarding the Dovecot log: imap-login: Disconnected: Too many invalid commands (no auth attempts in 0 secs): user=<>, rip=167.248.133.189
I'm not sure if it could or should catch any rule

Finally regarding your note (I really appreciate it): Messages related to PASS OLD [85.217.144.165] i pasted are referred to an email address that does not exist (test@....):
Mar  4 18:03:56 mx postfix/smtpd[148967]: NOQUEUE: reject: RCPT from unknown[85.217.144.165]: 450 4.7.1 <win-clj1b0gq6jp.domain>: Helo command rejected: Host not found; from=<test@MYHOSTDOMAIN.TLC> to=<tanyabarlow19@hotmail.com> proto=SMTP helo=<win-clj1b0gq6jp.domain>

Can you please let me understand why you think on a successfull login using a stolen password?

Again thank you for your patience.

6

Re: Fail2Ban working doubts

It's a lot easier to understand how fail2ban works by checking jail config files (/etc/fail2ban/jail.d/*.local) and the filters used by jails (/etc/fail2ban/filter.d/).

- Jail config file defines which log file(s) it tracks.
- Filter defines the rule(s) to match certain log line, and extract IP address from the log line.