1 Topic by Johnny007 (edited by Johnny007 2020-06-06 23:05:57)

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Topic: NetData and Fail2Ban / PostFix Settings

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version: 1.2.1
- Deployed with: downloadable installer
- Linux/BSD distribution: Debian 10.4
- Store mail accounts in: LDAP
- Web server: Nginx
- Manage mail accounts with: iRedAdmin
====

So I’m noticing something on NetData. I see fail2ban is enabled, but I don’t see it showing a correlation with what Fail2Ban is actually doing.

See attachment, that NetData is showing NO JAILS or BANS.

But look at the output of Fail2Ban:

# fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

Status for the jail: dovecot-iredmail
   `- Banned IP list:    
Status for the jail: nginx-http-auth
   `- Banned IP list:    
Status for the jail: postfix-iredmail
   `- Banned IP list:    
Status for the jail: postfix-pregreet-iredmail
   `- Banned IP list:    
Status for the jail: roundcube-iredmail
   `- Banned IP list:    
Status for the jail: sogo-iredmail
   `- Banned IP list:    
Status for the jail: sshd
   `- Banned IP list:    112.85.42.185 93.157.62.102

Also seeing similar for PostFix.

Do I need to make some Config Adjustments in NetData to make it see these entries?
I caught it, because I see the Logwatch report email, and saw many failed SSHD attempts.

Post's attachments

PastedGraphic-3.jpg
PastedGraphic-3.jpg 54.1 kb, 1 downloads since 2020-06-03 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

PS: Here is the output of log files in /var/log/netdata/

/var/log/netdata# ls -al
total 2460

drwxr-xr-x 2 netdata netdata    4096 Jun  3 00:00 .
drwxrwxr-x 3 netdata netdata    4096 Apr 13 06:23 ..
-rw-r--r-- 1 netdata netdata  315408 Jun  3 09:01 access.log
-rw-r--r-- 1 netdata netdata 1470332 Jun  2 10:25 access.log.1
-rw-r--r-- 1 netdata netdata       0 Jun  1 07:28 debug.log
-rw-r--r-- 1 netdata netdata  140145 Jun  3 08:51 error.log
-rw-r--r-- 1 netdata netdata  565624 Jun  3 06:42 error.log.1

/var/log/netdata# cat error.log | grep "fail2ban"

2020-06-03 08:21:57: python.d INFO: plugin[main] : [fail2ban] built 1 job(s) configs
2020-06-03 08:21:57: python.d INFO: fail2ban[fail2ban] : monitoring jails: ['sshd', 'postfix-iredmail', 'postfix-pregreet-iredmail', 'dovecot-iredmail', 'nginx-http-auth', 'sogo-iredmail', 'roundcube-iredmail']
2020-06-03 08:21:57: python.d INFO: plugin[main] : fail2ban[fail2ban] : check success

/var/log/netdata# cat error.log.1 | grep "fail2ban"

2020-06-01 07:28:38: python.d INFO: plugin[main] : [fail2ban] built 1 job(s) configs
2020-06-01 07:28:39: python.d INFO: fail2ban[fail2ban] : monitoring jails: ['sshd', 'postfix-iredmail', 'postfix-pregreet-iredmail', 'dovecot-iredmail', 'nginx-http-auth', 'sogo-iredmail', 'roundcube-iredmail']
2020-06-01 07:28:39: python.d INFO: plugin[main] : fail2ban[fail2ban] : check success
2020-06-01 07:31:27: python.d INFO: plugin[main] : [fail2ban] built 1 job(s) configs
2020-06-01 07:31:31: python.d INFO: fail2ban[fail2ban] : monitoring jails: ['sshd', 'postfix-iredmail', 'postfix-pregreet-iredmail', 'dovecot-iredmail', 'nginx-http-auth', 'sogo-iredmail', 'roundcube-iredmail']
2020-06-01 07:31:31: python.d INFO: plugin[main] : fail2ban[fail2ban] : check success
2020-06-01 10:30:04: python.d INFO: plugin[main] : [fail2ban] built 1 job(s) configs
2020-06-01 10:30:06: python.d INFO: fail2ban[fail2ban] : monitoring jails: ['sshd', 'postfix-iredmail', 'postfix-pregreet-iredmail', 'dovecot-iredmail', 'nginx-http-auth', 'sogo-iredmail', 'roundcube-iredmail']
2020-06-01 10:30:06: python.d INFO: plugin[main] : fail2ban[fail2ban] : check success
2020-06-01 12:41:39: python.d INFO: plugin[main] : [fail2ban] built 1 job(s) configs
2020-06-01 12:41:40: python.d INFO: fail2ban[fail2ban] : monitoring jails: ['sshd', 'postfix-iredmail', 'postfix-pregreet-iredmail', 'dovecot-iredmail', 'nginx-http-auth', 'sogo-iredmail', 'roundcube-iredmail']
2020-06-01 12:41:40: python.d INFO: plugin[main] : fail2ban[fail2ban] : check success

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Seems everything is fine, no error in netdata log at all.

Try to ban one IP address manually, then check netdata again:

fail2ban-client set sshd banip 1.1.1.1

Also, what's the owner/group and permission of Fail2ban log file /var/log/fail2ban.log (If deployed with iRedMail Easy, it's /var/log/fail2ban/fail2ban.log)?

4 Reply by Johnny007 (edited by Johnny007 2020-06-04 13:09:33)

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

So I banned the IP 1.1.1.1, but as you notice from the output above in my first post, I already had 2 banned IPs.
In any case, I banned the IP, but NetData shows nothing. No spike in the graph.

But if I check the list of banned IPs using the terminal, I see the banned IP there. NetData monitor doesn't show it.

Also, here is the owner / group and permission on /var/log/fail2ban.log. BUT I noticed, that it is all getting stored in syslog.
Fail2Ban is not storing any logs in that log. Everything is being piped to /var/log/syslog
This is by default installation.

-rw-r----- 1 root adm 2111 Jun  1 07:30 /var/log/fail2ban.log

So overall, currently with the default deployment, I'm noticing the issue with these two following selections in NetData monitor Web GUI, that they don't produce or show anything, even though there is a lot of activity. I'm assuming that becuase the way the iRedMail installer is seting different environment variables?

1. fail2ban
2. postfix

Anyways, let me know how to fix / address this?
AND while fixing this, I want to make sure that the daily morning email that I get with all the metrics, that doesn't get messed up smile ... That is a great summary email by the default installer as well.

5 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

Hi Zhang,

Any update on this? Did you wanna test it?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Netdata monitors Fail2ban log file to get (newly) banned IP addresses. try this command and restart netdata:

chmod 0644 /var/log/fail2ban.log

Or even try 0755.

7 Reply by Johnny007 (edited by Johnny007 2020-06-06 10:48:17)

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

ZhangHuangbin wrote:

Netdata monitors Fail2ban log file to get (newly) banned IP addresses. try this command and restart netdata:

chmod 0644 /var/log/fail2ban.log

Or even try 0755.

Hi Zhang, did what you asked, and also banned 4 IPs, but NetData doesn't show any changes.
See here

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    4
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned:    4
   |- Total banned:    4
   `- Banned IP list:    1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4

This is NOT the issue

8 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

I would really like your comment / feedback on the fact that fail2ban logs are being stored in /var/log/syslog.
They are not being stored in /var/log/fail2ban.log

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Johnny007 wrote:

I would really like your comment / feedback on the fact that fail2ban logs are being stored in /var/log/syslog.

Check file /etc/fail2ban/fail2ban.local, do you have "logtarget = SYSLOG" line?
Also, do you have file /etc/rsyslog.d/1-iredmail-fail2ban.conf?

10 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

Hi,

Here is /etc/fail2ban/fail2ban.local

[Definition]

# Option: loglevel. Default is ERROR
# Available options: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
loglevel = INFO

# Set the log target
logtarget = SYSLOG

# Syslog socket. Required on FreeBSD and OpenBSD.
#syslogsocket = /dev/log

# Fail2ban socket. Required on FreeBSD.
#socket = /var/run/fail2ban/fail2ban.sock

I don't see a file at /etc/rsyslog.d/1-iredmail-fail2ban.conf

Here is the directory listing:

/etc/rsyslog.d# ls -la
total 28
drwxr-xr-x  2 root root 4096 Jun  5 20:01 .
drwxr-xr-x 97 root root 4096 Jun  5 15:39 ..
-rw-r--r--  1 root root  850 Jun  5 14:51 1-iredmail-dovecot.conf
-rw-r--r--  1 root root  451 Jun  5 14:51 1-iredmail-iredapd.conf
-rw-r--r--  1 root root  443 Jun  5 14:51 1-iredmail-mlmmjadmin.conf
-rw-r--r--  1 root root  124 Jun  5 14:50 1-iredmail-phpfpm.conf
-rw-r--r--  1 root root  242 Mar 16 12:43 postfix.conf

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

File /etc/rsyslog.d/1-iredmail-fail2ban.conf should be:

if $programname startswith 'fail2ban' or ($programname == 'journal' and $msg startswith 'fail2ban') then -/var/log/fail2ban.log
& stop

Create it manually then restart rsyslog service.
Set owner/group of /var/log/fail2ban.log to "syslog:adm" and permission 0755.

12 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

Ok almost got there, but there is no user "syslog" on the system

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Oops, my bad, it's "root:adm".

14 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

Ok made the changes.
Restarted Rsyslog
Restarted NetData

I still have FOUR BANNED IPs

NetData shows none.

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Ban a new one and check again.

16 Reply by Johnny007

  • Johnny007
  • Member
  • Offline
  • Registered: 2020-05-29
  • Posts: 32

Re: NetData and Fail2Ban / PostFix Settings

ZhangHuangbin wrote:

Ban a new one and check again.

YES, THAT WORKED !!!!! Yay !!! smile smile

Ok, now can we do the changes for PostFix to work as well? smile smile

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: NetData and Fail2Ban / PostFix Settings

Try to send few testing emails, netdata should detect the messages in queue.