1 Topic by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 62

Topic: Where see the info about each fail in Fail2Ban

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Perhaps a beginner post but I would like some advice

Our mail server now runs as it should. If I check netdata I normally see 5-10 fails every day. but today there were 105. Can I find where they come from. I understand that it probably is people trying to log in to getaccess.

TIA
Anders Yuran

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Richard.Horan

  • Richard.Horan
  • Member
  • Offline
  • Registered: 2023-10-05
  • Posts: 15

Re: Where see the info about each fail in Fail2Ban

DId you check logs in /var/log?

3 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 62

Re: Where see the info about each fail in Fail2Ban

Yes, something must be gong on. Copied the last 2 minutes of the log

2024-11-11 05:36:00,915 fail2ban.filter         [795]: INFO    [dovecot] Found 162.214.201.42 - 2024-11-11 05:36:00
2024-11-11 05:36:02,919 fail2ban.filter         [795]: INFO    [dovecot] Found 79.137.39.190 - 2024-11-11 05:36:02
2024-11-11 05:36:13,135 fail2ban.filter         [795]: INFO    [dovecot] Found 122.169.103.121 - 2024-11-11 05:36:13
2024-11-11 05:36:17,749 fail2ban.filter         [795]: INFO    [dovecot] Found 185.129.249.68 - 2024-11-11 05:36:17
2024-11-11 05:36:31,772 fail2ban.filter         [795]: INFO    [dovecot] Found 94.100.20.10 - 2024-11-11 05:36:31
2024-11-11 05:36:38,984 fail2ban.filter         [795]: INFO    [dovecot] Found 52.77.32.236 - 2024-11-11 05:36:38
2024-11-11 05:36:40,990 fail2ban.filter         [795]: INFO    [dovecot] Found 91.121.35.159 - 2024-11-11 05:36:40
2024-11-11 05:36:46,199 fail2ban.filter         [795]: INFO    [dovecot] Found 159.89.237.199 - 2024-11-11 05:36:46
2024-11-11 05:36:58,833 fail2ban.filter         [795]: INFO    [dovecot] Found 194.15.36.78 - 2024-11-11 05:36:58
2024-11-11 05:37:08,850 fail2ban.filter         [795]: INFO    [dovecot] Found 138.201.34.171 - 2024-11-11 05:37:08
2024-11-11 05:37:10,853 fail2ban.filter         [795]: INFO    [dovecot] Found 162.214.204.53 - 2024-11-11 05:37:10
2024-11-11 05:37:16,863 fail2ban.filter         [795]: INFO    [dovecot] Found 103.124.93.182 - 2024-11-11 05:37:16
2024-11-11 05:37:17,466 fail2ban.filter         [795]: INFO    [dovecot] Found 162.240.224.93 - 2024-11-11 05:37:17
2024-11-11 05:37:30,692 fail2ban.filter         [795]: INFO    [dovecot] Found 162.0.220.200 - 2024-11-11 05:37:30
2024-11-11 05:37:39,905 fail2ban.filter         [795]: INFO    [dovecot] Found 209.151.145.149 - 2024-11-11 05:37:39
2024-11-11 05:37:43,111 fail2ban.filter         [795]: INFO    [dovecot] Found 38.252.38.24 - 2024-11-11 05:37:43
2024-11-11 05:37:45,115 fail2ban.filter         [795]: INFO    [dovecot] Found 95.217.228.54 - 2024-11-11 05:37:44
2024-11-11 05:37:47,119 fail2ban.filter         [795]: INFO    [dovecot] Found 209.94.63.207 - 2024-11-11 05:37:46
2024-11-11 05:37:51,129 fail2ban.filter         [795]: INFO    [dovecot] Found 209.151.144.191 - 2024-11-11 05:37:50
2024-11-11 05:38:18,272 fail2ban.filter         [795]: INFO    [dovecot] Found 142.93.220.49 - 2024-11-11 05:38:18
2024-11-11 05:38:20,877 fail2ban.filter         [795]: INFO    [dovecot] Found 194.1.184.78 - 2024-11-11 05:38:20
2024-11-11 05:38:22,080 fail2ban.filter         [795]: INFO    [dovecot] Found 209.50.61.217 - 2024-11-11 05:38:21
2024-11-11 05:38:22,282 fail2ban.filter         [795]: INFO    [dovecot] Found 209.151.146.112 - 2024-11-11 05:38:22
2024-11-11 05:38:31,497 fail2ban.filter         [795]: INFO    [dovecot] Found 35.189.241.61 - 2024-11-11 05:38:31
2024-11-11 05:38:33,701 fail2ban.filter         [795]: INFO    [dovecot] Found 143.244.156.83 - 2024-11-11 05:38:33
2024-11-11 05:38:43,726 fail2ban.filter         [795]: INFO    [dovecot] Found 204.13.238.85 - 2024-11-11 05:38:43
2024-11-11 05:38:44,937 fail2ban.filter         [795]: INFO    [dovecot] Found 2.57.217.229 - 2024-11-11 05:38:44

4 Reply by ploversspin

  • ploversspin
  • Member
  • Offline
  • Registered: 2024-11-11
  • Posts: 1

Re: Where see the info about each fail in Fail2Ban

yes, I also encountered the same situation even though I tried different methods

ploversspin's Website

5 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 62

Re: Where see the info about each fail in Fail2Ban

These ip are 99% reported as abuse. And from all over the world. Seems like some coordinated attack.

6 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 62

Re: Where see the info about each fail in Fail2Ban

This came now in the mail.log

Nov 11 05:43:58 mail roundcube: <jnds69hs> PHP Error: Failed to load config from /opt/www/roundcubemail/plugins/password/config.inc.php in /opt/www/roundcubemail-1.6.5/program/lib/Roundcube/rcube_plugin.php on line 166 (GET /mail/?_task=addressbook&_action=photo&_email=root%40mail.mxmail.se)

7 Reply by WhoAmI68

  • WhoAmI68
  • Member
  • Offline
  • Registered: 2024-11-12
  • Posts: 4

Re: Where see the info about each fail in Fail2Ban

anders.yuran wrote:

Yes, something must be gong on. Copied the last 2 minutes of the log

2024-11-11 05:36:00,915 fail2ban.filter         [795]: INFO    [dovecot] Found 162.214.201.42 - 2024-11-11 05:36:00

Could you share your maxretry, findtime, bantime from jail?

8 Reply by WhoAmI68

  • WhoAmI68
  • Member
  • Offline
  • Registered: 2024-11-12
  • Posts: 4

Re: Where see the info about each fail in Fail2Ban

anders.yuran wrote:

These ip are 99% reported as abuse. And from all over the world. Seems like some coordinated attack.

It is only a scanner smile. If it is not to your liking, You can restrict the dovecot port by IP address or by country. You can also use IPset + spamDB wink.

9 Reply by WhoAmI68

  • WhoAmI68
  • Member
  • Offline
  • Registered: 2024-11-12
  • Posts: 4

Re: Where see the info about each fail in Fail2Ban

anders.yuran wrote:

This came now in the mail.log

Nov 11 05:43:58 mail roundcube: <jnds69hs> PHP Error: Failed to load config from /opt/www/roundcubemail/plugins/password/config.inc.php in /opt/www/roundcubemail-1.6.5/program/lib/Roundcube/rcube_plugin.php on line 166 (GET /mail/?_task=addressbook&_action=photo&_email=root%40mail.mxmail.se)

If you have opened to the world port 443 at subdomain mail.mxmail.se, of course, some bots will try to hack it. The default configuration of iredmail is good, If you don't like something, you can restrict it or You can add an extra layer of security, like Restricting Access with HTTP Basic Authentication, 8G firewall, Modsecurity, Maxretry on fail2ban or some extra filters etc. Anyway the list is very big, The important thing is to know which guys you can be safe from.

10 Reply by anders.yuran

  • anders.yuran
  • Member
  • Offline
  • Registered: 2024-04-21
  • Posts: 62

Re: Where see the info about each fail in Fail2Ban

Well it seems that the server is still safe. I changesd the find time from 10 minutes to 1 day and ofc the number bannned ip rushed up and the fail went down . Restrict by Ip is not possible with about 500 accounts from all over the world.
The surprise was that the number of fails went from 10 to 130 in 12 hours.

WhoAmI68 wrote:
anders.yuran wrote:

This came now in the mail.log

Nov 11 05:43:58 mail roundcube: <jnds69hs> PHP Error: Failed to load config from /opt/www/roundcubemail/plugins/password/config.inc.php in /opt/www/roundcubemail-1.6.5/program/lib/Roundcube/rcube_plugin.php on line 166 (GET /mail/?_task=addressbook&_action=photo&_email=root%40mail.mxmail.se)

If you have opened to the world port 443 at subdomain mail.mxmail.se, of course, some bots will try to hack it. The default configuration of iredmail is good, If you don't like something, you can restrict it or You can add an extra layer of security, like Restricting Access with HTTP Basic Authentication, 8G firewall, Modsecurity, Maxretry on fail2ban or some extra filters etc. Anyway the list is very big, The important thing is to know which guys you can be safe from.

11 Reply by WhoAmI68

  • WhoAmI68
  • Member
  • Offline
  • Registered: 2024-11-12
  • Posts: 4

Re: Where see the info about each fail in Fail2Ban

anders.yuran wrote:

Well it seems that the server is still safe. I changesd the find time from 10 minutes to 1 day.

Good to hear it smile, I have private server so my bantime is 1 month smile but I use a few extra layers.