search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.03k stars 1.44k forks source link

fail2ban finding but not banning #2246

Open cybnex opened 1 year ago

cybnex commented 1 year ago

On my stock, fresh out of the box mail-in-a-box install fail2ban finds bruteforce attempts on postfix but it not taking any action:

2023-03-22 12:38:48,047 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.125 - 2023-03-22 12:38:48 2023-03-22 12:38:48,045 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.17 - 2023-03-22 12:38:48 2023-03-22 12:38:48,049 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.125 - 2023-03-22 12:38:48 2023-03-22 12:38:48,056 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.125 - 2023-03-22 12:38:48 2023-03-22 12:38:51,377 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.22 - 2023-03-22 12:38:51 2023-03-22 12:38:51,379 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.22 - 2023-03-22 12:38:51 2023-03-22 12:38:51,380 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.22 - 2023-03-22 12:38:51 2023-03-22 12:38:57,319 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.21 - 2023-03-22 12:38:57 2023-03-22 12:38:57,321 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.21 - 2023-03-22 12:38:57 2023-03-22 12:38:57,322 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.21 - 2023-03-22 12:38:57 2023-03-22 12:39:06,156 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.23 - 2023-03-22 12:39:06 2023-03-22 12:39:06,157 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.23 - 2023-03-22 12:39:06 2023-03-22 12:39:06,158 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.23 - 2023-03-22 12:39:06 2023-03-22 12:39:18,346 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.183 - 2023-03-22 12:39:18 2023-03-22 12:39:18,359 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.183 - 2023-03-22 12:39:18 2023-03-22 12:39:18,357 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.183 - 2023-03-22 12:39:18 2023-03-22 12:39:45,466 fail2ban.filter [312056]: INFO [postfix-sasl] Found 46.148.40.199 - 2023-03-22 12:39:45 2023-03-22 12:39:45,469 fail2ban.filter [312056]: INFO [miab-postfix465] Found 46.148.40.199 - 2023-03-22 12:39:45 2023-03-22 12:39:45,469 fail2ban.filter [312056]: INFO [miab-postfix587] Found 46.148.40.199 - 2023-03-22 12:39:45

root@box /etc/fail2ban # fail2ban-client status miab-postfix465 Status for the jail: miab-postfix465 |- Filter | |- Currently failed: 17 | |- Total failed: 17 | - File list: /var/log/mail.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

jvolkenant commented 1 year ago

The threshold is very high before someone is banned https://github.com/jvolkenant/mailinabox/blob/master/conf/fail2ban/jails.conf#L15

cybnex commented 1 year ago

Oh I see now, the botnet is just doing one attempt per IP...

nomandera commented 1 year ago

I too was seeing this traffic. A reasonable immediate action

fail2ban-client set recidive banip 46.148.32.0/20

will silence this noise without being permanent