Fail2Ban x Carbonio...
 
Notifications
Clear all

Fail2Ban x Carbonio Community Edition

14 Posts
6 Users
0 Reactions
2,397 Views
(@bellux)
Joined: 2 years ago
Posts: 12
Topic starter  

Hi everyone,

i want to know if there is something like fail2ban added to Carbonio Community Edition or Carbonio able to reduce incorrect authentications attempts.

Elia.


   
Quote
(@sharif)
Admin
Joined: 2 years ago
Posts: 591
 
Posted by: @bellux

Hi everyone,

i want to know if there is something like fail2ban added to Carbonio Community Edition or Carbonio able to reduce incorrect authentications attempts.

Elia.

@bellux,

Hi,

Actually, fail2ban, crowdsec, CSF or these types of mechanisms usually do not come with any solution. You have to integrate them into your existing system. These mechanisms monitor your system's different log files and take predefined actions against the violating IP.

Currently, there are no mechanisms like these integrated in Carbonio/Carbonio CE. But you can use/integrate the above-mentioned mechanisms as per your convenience.

Thanks and regards,

Sharif

 


   
ReplyQuote
(@aposazhennikov)
Joined: 2 years ago
Posts: 3
 

Hi, everyone!

Is it possible to see filters for fail2ban, which works? I saw something at this forum but it's actually not working for new versions of carbonio.


   
ReplyQuote
Myriad
(@myriad)
Joined: 13 years ago
Posts: 33
 

I know this post is old but for others searching for this topic here ya go!

Install firewall:

root@mail:$ ufw status
root@mail:$ ufw allow ssh
root@mail:$ ufw allow 25,80,110,143,443,587,993,995,6071,8636,5222,10001/tcp

Install Fail2ban:

root@mail:$apt-get install fail2ban -y

Create the /etc/fail2ban/filter.d/carbonio.conf file and add:

[Definition]
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
            \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
         ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
         \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
         WARN .*;ip=<HOST>;ua=CarbonioWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
         NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

Add a local jail:

root@mail:$ nano /etc/fail2ban/jail.local *Add:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 ip_4/24 invoice.myriad.ca ip_1/32 ip_2/32 ip_3/32 
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
banaction = ufw

# Carbonio Jails.

[carbonio-account]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-account]
#sendmail[name=carbonio-account, dest=zextras@domain.tld]
logpath = /opt/zextras/log/mailbox.log
bantime = 600
maxretry = 5

[carbonio-audit]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-audit]
#sendmail[name=Carbonio-audit, dest=zextras@domain.tld]
logpath = /opt/zextras/log/audit.log
bantime = 600
maxretry = 5

[carbonio-recipient]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-recipient]
#sendmail[name=Carbonio-recipient, dest=zextras@domain.tld]
logpath = /var/log/carbonio.log
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
#sendmail-buffered[name=Postfix, dest=zextras@domain.tld]
logpath = /var/log/carbonio.log
bantime = 172800
maxretry = 5

Note: I commented out the sendmail portion so I don't get hundreds a emails from F2B

Save changes and restart Fail2ban:

root@mail:$ systemctl restart fail2ban

You can check the status of fail2ban using:

root@mail:$ fail2ban-client status carbonio-audit
This post was modified 11 months ago by Myriad

   
ReplyQuote
(@jolmir)
Joined: 10 years ago
Posts: 18
 

@myriad Thanks for sharing, does your configuration work behind the carbonio proxy? I tried it but the port is random between 0:65535 and it does not repeat, what configuration would it be in that case?


   
ReplyQuote
(@jolmir)
Joined: 10 years ago
Posts: 18
 

@sharif I am currently using Carbonio's DoS Filter with the following configuration

carbonio prov modifyConfig zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating 180

carbonio prov modifyConfig zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin 60

carbonio prov modifyConfig zimbraInvalidLoginFilterMaxFailedLogin 1

trying to contain the constant brute force attacks since they make an attempt every 5 minutes from a different IP that is never repeated and the account blocking is constant, I have tried setting zimbraInvalidLoginFilterMaxFailedLogin to zero but it doesn't work either, how could I try to block if Does the IP change with each attempt?

 

 


   
ReplyQuote
Myriad
(@myriad)
Joined: 13 years ago
Posts: 33
 

@jolmir I would think it should work because it only acts on traffic that arrives at the private IP of your server so the proxy shouldn't affect it.


   
ReplyQuote
Myriad
(@myriad)
Joined: 13 years ago
Posts: 33
 

 

@jolmir I have used F2B for the 20+ years I have run Zimbra servers and I find it work well at stopping brute force attempts and account lockouts. Here is a typical log:

2023-12-21 10:22:57,064 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.15 - 2023-12-21 10:22:56
2023-12-21 08:36:04,229 fail2ban.filter         [918]: INFO    [postfix] Found 182.183.169.193 - 2023-12-21 08:36:04
2023-12-21 08:29:57,123 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.120.86 - 2023-12-21 08:29:57
2023-12-21 08:21:50,585 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 210.196.222.34 - 2023-12-21 08:21:50
2023-12-21 08:21:50,581 fail2ban.filter         [918]: INFO    [postfix] Found 210.196.222.34 - 2023-12-21 08:21:50
2023-12-21 08:18:45,416 fail2ban.filter         [918]: INFO    [postfix] Found 185.191.54.54 - 2023-12-21 08:18:45
2023-12-21 08:13:22,170 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.65.55 - 2023-12-21 08:13:22
2023-12-21 08:09:59,257 fail2ban.filter         [918]: INFO    [postfix] Found 197.211.63.117 - 2023-12-21 08:09:59
2023-12-21 08:03:08,801 fail2ban.filter         [918]: INFO    [postfix] Found 5.121.122.143 - 2023-12-21 08:03:08
2023-12-21 08:02:14,144 fail2ban.filter         [918]: INFO    [postfix] Found 5.121.122.143 - 2023-12-21 08:02:14
2023-12-21 07:30:50,066 fail2ban.filter         [918]: INFO    [postfix] Found 179.6.34.67 - 2023-12-21 07:30:50
2023-12-21 07:26:24,697 fail2ban.filter         [918]: INFO    [postfix] Found 160.155.168.175 - 2023-12-21 07:26:24
2023-12-21 07:13:19,438 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.110.224 - 2023-12-21 07:13:19
2023-12-20 20:37:16,576 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 178.255.222.211 - 2023-12-20 20:37:16
2023-12-20 20:37:16,575 fail2ban.filter         [918]: INFO    [postfix] Found 178.255.222.211 - 2023-12-20 20:37:16
2023-12-20 13:13:17,068 fail2ban.filter         [918]: INFO    [postfix] Found 156.215.31.48 - 2023-12-20 13:13:16
2023-12-20 13:13:17,066 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 156.215.31.48 - 2023-12-20 13:13:16
2023-12-20 13:13:04,769 fail2ban.filter         [918]: INFO    [postfix] Found 156.215.31.48 - 2023-12-20 13:13:04
2023-12-20 13:13:04,769 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 156.215.31.48 - 2023-12-20 13:13:04
2023-12-20 11:23:00,796 fail2ban.filter         [918]: INFO    [postfix] Found 198.61.254.30 - 2023-12-20 11:23:00
2023-12-20 11:22:35,240 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 167.172.163.193 - 2023-12-20 11:22:35
2023-12-20 11:22:35,240 fail2ban.filter         [918]: INFO    [postfix] Found 167.172.163.193 - 2023-12-20 11:22:35
2023-12-20 11:15:08,658 fail2ban.filter         [918]: INFO    [postfix] Found 167.99.139.2 - 2023-12-20 11:15:08
2023-12-20 11:15:08,657 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 167.99.139.2 - 2023-12-20 11:15:08
2023-12-20 09:29:45,132 fail2ban.filter         [918]: INFO    [postfix] Found 197.35.212.121 - 2023-12-20 09:29:45
2023-12-20 09:29:45,130 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 197.35.212.121 - 2023-12-20 09:29:45
2023-12-20 09:29:13,177 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 197.35.212.121 - 2023-12-20 09:29:13
2023-12-20 09:29:13,176 fail2ban.filter         [918]: INFO    [postfix] Found 197.35.212.121 - 2023-12-20 09:29:13
2023-12-20 09:03:28,712 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.89 - 2023-12-20 09:03:28
2023-12-20 09:03:28,711 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 38.108.68.89 - 2023-12-20 09:03:28
2023-12-20 08:57:46,176 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.147 - 2023-12-20 08:57:46

I also maintain a list of "Known Spammers" on my Pfsense Firewall that blocks spammers ASN IP's completely. The usual suspects like smtp.dk, yandex.ru, eonix, etc.


   
ReplyQuote
(@jolmir)
Joined: 10 years ago
Posts: 18
 

@myriad thanks for sharing, I used your configuration shared above but I can't block any failed attempts I used this command but it doesn't mark any matches fail2ban-regex /opt/zextras/log/mailbox.log /etc/fail2ban/filter.d/carbonio.conf  and also to this other file and likewise no match /opt/zextras/log/audit.log /etc/fail2ban/filter.d/carbonio.conf both mailbox.log and audit.log log the following when there is a failed attempt

 

[root@mail /]# fail2ban-regex /opt/zextras/log/audit.log /etc/fail2ban/filter.d/carbonio.conf

Running tests
=============

Use failregex filter file : carbonio, basedir: /etc/fail2ban
Use log file : /opt/zextras/log/audit.log
Use encoding : UTF-8

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [276] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 276 lines, 0 ignored, 0 matched, 276 missed
[processed in 0.02 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 276 lines

 

[root@mail /]# fail2ban-regex /opt/zextras/log/mailbox.log /etc/fail2ban/filter.d/carbonio.conf

Running tests
=============

Use failregex filter file : carbonio, basedir: /etc/fail2ban
Use log file : /opt/zextras/log/mailbox.log
Use encoding : UTF-8

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [5111] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 5198 lines, 0 ignored, 0 matched, 5198 missed
[processed in 0.28 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 5198 lines

When there is a failed login attempt the following files contain the following

mailbox.log 

INFO [qtp1999664216-17://mail.*/service/soap/AuthRequest] [name=*@*;ip=*;oip=187.133.109.84;port=34690;soapId=1e8c2bdf;] SoapEngine - handler exception: authentication failed for [*], invalid password

2023-12-23 15:15:26,216 WARN [qtp1999664216-18186:smtp://*:49376/service/admin/soap/] [name=*@*;ip=*;oip=223.223.177.215;oport=49376;oproto=smtp;port=57330;soapId=65875a8;] security - cmd=Auth; account=*@*; protocol=soap; error=authentication failed for [*], account(or domain) status is locked;

audit.log

WARN [qtp1999664216-17://mail.*/service/soap/AuthRequest] [name=*@*;ip=*;oip=187.133.109.84;port=34690;soapId=1e8c2bdf;] security - cmd=Auth; account=*@*; protocol=soap; error=authentication failed for [*], invalid password;

2023-12-23 14:16:09,140 INFO [qtp1999664216-19005: https://10.110.73.35:7071/service/admin/soap/AuthRequest ] [name=*@*;ip=*;oip=*;port=34482;soapId=6585e83;] security - cmd=AdminAuth; account=*;

How could I correct the filter to match? Thanks in advance for the help


   
ReplyQuote
(@jolmir)
Joined: 10 years ago
Posts: 18
 

Does anyone have the fail2ban configuration for Carbonio CE? that you can provide to stop attacks against the server that end up intentionally blocking accounts


   
ReplyQuote
Myriad
(@myriad)
Joined: 13 years ago
Posts: 33
 

@jolmir Try this revised conf:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 10.40.10.0/24 yourdomain.ca someip/32 someip/32 
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
banaction = ufw
banaction_allports = ufw

[ufw]
enabled = true
filter  = ufw
logpath = /var/log/ufw.log

# Carbonio Jails.

[carbonio-account]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-account]
#sendmail[name=carbonio-account, dest=zextras@domain.tld]
logpath = /opt/zextras/log/mailbox.log
bantime = 600
maxretry = 5

[carbonio-audit]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-audit]
#sendmail[name=Carbonio-audit, dest=zextras@domain.tld]
logpath = /opt/zextras/log/audit.log
bantime = 600
maxretry = 5

[carbonio-recipient]
enabled = true
filter = carbonio
action = iptables-allports[name=carbonio-recipient]
#sendmail[name=Carbonio-recipient, dest=zextras@domain.tld]
logpath = /var/log/carbonio.log
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
#sendmail-buffered[name=Postfix, dest=zextras@domain.tld]
logpath = /var/log/carbonio.log
bantime = 172800
maxretry = 5

The previous example was missing the [ufw] section. Check out my Complete Guide for more info.


   
ReplyQuote
(@bellux)
Joined: 2 years ago
Posts: 12
Topic starter  

Posted by: @myriad

 

@jolmir I have used F2B for the 20+ years I have run Zimbra servers and I find it work well at stopping brute force attempts and account lockouts. Here is a typical log:

2023-12-21 10:22:57,064 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.15 - 2023-12-21 10:22:56
2023-12-21 08:36:04,229 fail2ban.filter         [918]: INFO    [postfix] Found 182.183.169.193 - 2023-12-21 08:36:04
2023-12-21 08:29:57,123 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.120.86 - 2023-12-21 08:29:57
2023-12-21 08:21:50,585 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 210.196.222.34 - 2023-12-21 08:21:50
2023-12-21 08:21:50,581 fail2ban.filter         [918]: INFO    [postfix] Found 210.196.222.34 - 2023-12-21 08:21:50
2023-12-21 08:18:45,416 fail2ban.filter         [918]: INFO    [postfix] Found 185.191.54.54 - 2023-12-21 08:18:45
2023-12-21 08:13:22,170 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.65.55 - 2023-12-21 08:13:22
2023-12-21 08:09:59,257 fail2ban.filter         [918]: INFO    [postfix] Found 197.211.63.117 - 2023-12-21 08:09:59
2023-12-21 08:03:08,801 fail2ban.filter         [918]: INFO    [postfix] Found 5.121.122.143 - 2023-12-21 08:03:08
2023-12-21 08:02:14,144 fail2ban.filter         [918]: INFO    [postfix] Found 5.121.122.143 - 2023-12-21 08:02:14
2023-12-21 07:30:50,066 fail2ban.filter         [918]: INFO    [postfix] Found 179.6.34.67 - 2023-12-21 07:30:50
2023-12-21 07:26:24,697 fail2ban.filter         [918]: INFO    [postfix] Found 160.155.168.175 - 2023-12-21 07:26:24
2023-12-21 07:13:19,438 fail2ban.filter         [918]: INFO    [postfix] Found 213.230.110.224 - 2023-12-21 07:13:19
2023-12-20 20:37:16,576 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 178.255.222.211 - 2023-12-20 20:37:16
2023-12-20 20:37:16,575 fail2ban.filter         [918]: INFO    [postfix] Found 178.255.222.211 - 2023-12-20 20:37:16
2023-12-20 13:13:17,068 fail2ban.filter         [918]: INFO    [postfix] Found 156.215.31.48 - 2023-12-20 13:13:16
2023-12-20 13:13:17,066 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 156.215.31.48 - 2023-12-20 13:13:16
2023-12-20 13:13:04,769 fail2ban.filter         [918]: INFO    [postfix] Found 156.215.31.48 - 2023-12-20 13:13:04
2023-12-20 13:13:04,769 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 156.215.31.48 - 2023-12-20 13:13:04
2023-12-20 11:23:00,796 fail2ban.filter         [918]: INFO    [postfix] Found 198.61.254.30 - 2023-12-20 11:23:00
2023-12-20 11:22:35,240 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 167.172.163.193 - 2023-12-20 11:22:35
2023-12-20 11:22:35,240 fail2ban.filter         [918]: INFO    [postfix] Found 167.172.163.193 - 2023-12-20 11:22:35
2023-12-20 11:15:08,658 fail2ban.filter         [918]: INFO    [postfix] Found 167.99.139.2 - 2023-12-20 11:15:08
2023-12-20 11:15:08,657 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 167.99.139.2 - 2023-12-20 11:15:08
2023-12-20 09:29:45,132 fail2ban.filter         [918]: INFO    [postfix] Found 197.35.212.121 - 2023-12-20 09:29:45
2023-12-20 09:29:45,130 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 197.35.212.121 - 2023-12-20 09:29:45
2023-12-20 09:29:13,177 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 197.35.212.121 - 2023-12-20 09:29:13
2023-12-20 09:29:13,176 fail2ban.filter         [918]: INFO    [postfix] Found 197.35.212.121 - 2023-12-20 09:29:13
2023-12-20 09:03:28,712 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.89 - 2023-12-20 09:03:28
2023-12-20 09:03:28,711 fail2ban.filter         [918]: INFO    [carbonio-recipient] Found 38.108.68.89 - 2023-12-20 09:03:28
2023-12-20 08:57:46,176 fail2ban.filter         [918]: INFO    [postfix] Found 38.108.68.147 - 2023-12-20 08:57:46

I also maintain a list of "Known Spammers" on my Pfsense Firewall that blocks spammers ASN IP's completely. The usual suspects like smtp.dk, yandex.ru, eonix, etc.

Hi, to me this is not appening.

 

 

2024-03-28 18:11:25,833 INFO [qtp688593710-70] [name=name.surname@business.it;ip=192.168.1.155;oip=192.168.1.6;port=43200;soapId=76c9364a;] SoapEngine - handler exception: authentication failed for [name.surname], invalid password
2024-03-28 18:11:25,834 INFO [qtp688593710-70] [name=name.surname@business.it;ip=192.168.1.155;oip=192.168.1.6;port=43200;soapId=76c9364a;] soap - AuthRequest elapsed=4
2024-03-28 18:11:25,836 INFO [qtp688593710-70] [] misc - Invalid login filter, checking if this was an auth req and authentication failed.

 

i found this on mailbox.log, i don't know what "misc - Invalid login filter, checking if this was an auth req and authentication failed" means, but i think is the problem fail2ban in my case is not working. 

 

This post was modified 8 months ago by BelluX

   
ReplyQuote
Myriad
(@myriad)
Joined: 13 years ago
Posts: 33
 

It seems to be working successfully for me. Here is a snippet from the F2B log:

2024-03-29 07:32:28,109 fail2ban.filter [940]: INFO [carbonio-recipient] Found 113.161.72.248 - 2024-03-29 07:32:27
2024-03-29 07:32:28,109 fail2ban.filter [940]: INFO [postfix] Found 113.161.72.248 - 2024-03-29 07:32:27
2024-03-29 05:53:57,935 fail2ban.filter [940]: INFO [carbonio-recipient] Found 209.85.222.202 - 2024-03-29 05:53:57
2024-03-29 05:53:57,934 fail2ban.filter [940]: INFO [postfix] Found 209.85.222.202 - 2024-03-29 05:53:57
2024-03-29 04:40:09,985 fail2ban.filter [940]: INFO [postfix] Found 217.160.213.95 - 2024-03-29 04:40:09
2024-03-29 04:40:09,985 fail2ban.filter [940]: INFO [carbonio-recipient] Found 217.160.213.95 - 2024-03-29 04:40:09
2024-03-29 04:29:28,880 fail2ban.filter [940]: INFO [carbonio-recipient] Found 217.160.213.95 - 2024-03-29 04:29:28
2024-03-29 04:29:28,879 fail2ban.filter [940]: INFO [postfix] Found 217.160.213.95 - 2024-03-29 04:29:28
2024-03-29 03:24:29,172 fail2ban.filter [940]: INFO [postfix] Found 27.73.161.90 - 2024-03-29 03:24:28
2024-03-29 03:24:29,172 fail2ban.filter [940]: INFO [carbonio-recipient] Found 27.73.161.90 - 2024-03-29 03:24:28
2024-03-28 23:59:42,960 fail2ban.actions [940]: NOTICE [postfix] Ban 185.165.190.17
2024-03-28 23:59:42,704 fail2ban.filter [940]: INFO [postfix] Found 185.165.190.17 - 2024-03-28 23:59:42
2024-03-28 23:59:42,582 fail2ban.filter [940]: INFO [postfix] Found 185.165.190.17 - 2024-03-28 23:59:42
2024-03-28 23:59:35,612 fail2ban.filter [940]: INFO [postfix] Found 185.165.190.17 - 2024-03-28 23:59:35
2024-03-28 23:59:35,583 fail2ban.filter [940]: INFO [postfix] Found 185.165.190.17 - 2024-03-28 23:59:35
2024-03-28 23:59:35,514 fail2ban.filter [940]: INFO [postfix] Found 185.165.190.17 - 2024-03-28 23:59:35
2024-03-28 19:04:29,071 fail2ban.filter [940]: INFO [carbonio-recipient] Found 199.79.63.213 - 2024-03-28 19:04:28
2024-03-28 19:04:29,090 fail2ban.filter [940]: INFO [postfix] Found 199.79.63.213 - 2024-03-28 19:04:28
2024-03-28 05:57:30,129 fail2ban.filter [940]: INFO [postfix] Found 85.215.217.236 - 2024-03-28 05:57:30
2024-03-28 05:57:30,125 fail2ban.filter [940]: INFO [carbonio-recipient] Found 85.215.217.236 - 2024-03-28 05:57:30
2024-03-28 05:42:15,905 fail2ban.filter [940]: INFO [postfix] Found 85.215.217.236 - 2024-03-28 05:42:15
2024-03-28 05:42:15,904 fail2ban.filter [940]: INFO [carbonio-recipient] Found 85.215.217.236 - 2024-03-28 05:42:15
2024-03-28 04:25:56,316 fail2ban.filter [940]: INFO [carbonio-recipient] Found 176.102.65.146 - 2024-03-28 04:25:56
2024-03-28 04:25:56,316 fail2ban.filter [940]: INFO [postfix] Found 176.102.65.146 - 2024-03-28 04:25:56
2024-03-28 04:14:01,005 fail2ban.filter [940]: INFO [carbonio-recipient] Found 209.85.219.196 - 2024-03-28 04:14:00
2024-03-28 04:14:01,004 fail2ban.filter [940]: INFO [postfix] Found 209.85.219.196 - 2024-03-28 04:14:00
2024-03-28 01:00:28,476 fail2ban.filter [940]: INFO [carbonio-recipient] Found 85.215.217.236 - 2024-03-28 01:00:28
2024-03-28 01:00:28,475 fail2ban.filter [940]: INFO [postfix] Found 85.215.217.236 - 2024-03-28 01:00:28
2024-03-27 12:14:37,879 fail2ban.filter [940]: INFO [carbonio-recipient] Found 35.172.137.204 - 2024-03-27 12:14:37
2024-03-27 12:14:37,878 fail2ban.filter [940]: INFO [postfix] Found 35.172.137.204 - 2024-03-27 12:14:37
2024-03-27 12:14:37,876 fail2ban.filter [940]: INFO [postfix] Found 3.95.194.109 - 2024-03-27 12:14:37
2024-03-27 12:14:37,875 fail2ban.filter [940]: INFO [carbonio-recipient] Found 3.95.194.109 - 2024-03-27 12:14:37
2024-03-27 12:14:37,874 fail2ban.filter [940]: INFO [carbonio-recipient] Found 3.95.194.109 - 2024-03-27 12:14:37
2024-03-27 12:14:37,873 fail2ban.filter [940]: INFO [postfix] Found 3.95.194.109 - 2024-03-27 12:14:37
2024-03-27 12:14:37,860 fail2ban.filter [940]: INFO [postfix] Found 34.229.209.11 - 2024-03-27 12:14:37
2024-03-27 12:14:37,854 fail2ban.filter [940]: INFO [carbonio-recipient] Found 34.229.209.11 - 2024-03-27 12:14:37
2024-03-27 12:14:31,371 fail2ban.filter [940]: INFO [carbonio-recipient] Found 3.83.193.114 - 2024-03-27 12:14:31
2024-03-27 12:14:31,370 fail2ban.filter [940]: INFO [postfix] Found 3.83.193.114 - 2024-03-27 12:14:31
2024-03-27 12:14:31,357 fail2ban.filter [940]: INFO [postfix] Found 3.91.95.234 - 2024-03-27 12:14:31
2024-03-27 12:14:31,357 fail2ban.filter [940]: INFO [carbonio-recipient] Found 3.91.95.234 - 2024-03-27 12:14:31
2024-03-27 12:14:31,328 fail2ban.filter [940]: INFO [carbonio-recipient] Found 54.234.127.247 - 2024-03-27 12:14:31
2024-03-27 12:14:31,328 fail2ban.filter [940]: INFO [postfix] Found 54.234.127.247 - 2024-03-27 12:14:31
2024-03-27 12:14:31,325 fail2ban.filter [940]: INFO [carbonio-recipient] Found 44.201.251.164 - 2024-03-27 12:14:31

And here is the corresponding UFW log snippet:

Dec 30 23:57:38 mail kernel: [1059327.700662] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:34 mail kernel: [1059323.679745] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:32 mail kernel: [1059321.663402] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:31 mail kernel: [1059320.636498] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:30 mail kernel: [1059319.629581] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:29 mail kernel: [1059318.624329] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:28 mail kernel: [1059317.620016] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:57:27 mail kernel: [1059316.614146] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=54087 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:47:14 mail kernel: [1058703.889702] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=45.227.254.8 DST=10.40.10.51 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=27789 DF PROTO=TCP SPT=39816 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Dec 30 23:47:08 mail kernel: [1058697.877935] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=45.227.254.8 DST=10.40.10.51 LEN=52 TOS=0x02 PREC=0x00 TTL=116 ID=27788 DF PROTO=TCP SPT=39816 DPT=8443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Dec 30 23:47:05 mail kernel: [1058694.867505] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=45.227.254.8 DST=10.40.10.51 LEN=52 TOS=0x02 PREC=0x00 TTL=116 ID=27787 DF PROTO=TCP SPT=39816 DPT=8443 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Dec 30 23:38:55 mail kernel: [1058203.797445] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=45.128.232.15 DST=10.40.10.51 LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=UDP SPT=54631 DPT=123 LEN=16
Dec 30 23:37:36 mail kernel: [1058124.990948] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=37229 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:36 mail kernel: [1058124.837431] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=40250 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:35 mail kernel: [1058124.510768] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=20097 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:35 mail kernel: [1058124.312178] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=34363 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:35 mail kernel: [1058124.009227] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=10317 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:34 mail kernel: [1058123.672847] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=27166 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:34 mail kernel: [1058123.515128] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=62940 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:34 mail kernel: [1058122.906124] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=28771 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:37:32 mail kernel: [1058121.523980] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=62234 DPT=993 WINDOW=0 RES=0x00 RST URGP=0
Dec 30 23:15:48 mail kernel: [1056816.794176] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:32 mail kernel: [1056800.688420] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:24 mail kernel: [1056792.646623] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:20 mail kernel: [1056788.641186] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:18 mail kernel: [1056786.637543] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:17 mail kernel: [1056785.618082] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:16 mail kernel: [1056784.612743] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:15 mail kernel: [1056783.603794] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:14 mail kernel: [1056782.573107] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=34394 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 30 23:15:13 mail kernel: [1056781.502434] [UFW BLOCK] IN=enp0s4 OUT= MAC=00:a0:98:7c:8a:bb:00:90:0b:7a:87:36:08:00 SRC=142.116.122.113 DST=10.40.10.51 LEN=64 TOS=0x00 PREC=0x00 TTL

Unless I am missing something here, my installation seems to be working ok. Do you have your FW set up correctly as per my previous link?


   
ReplyQuote
(@haffi)
Joined: 7 months ago
Posts: 13
 

@myriad 

After adding the ufw

[98875]: ERROR Found no accessible config files for 'filter.d/ufw' under /etc/fail2ban

[98875]: ERROR Unable to read the filter 'ufw'

[98875]: ERROR Errors in jail 'ufw'. Skipping...

 

 

 


   
ReplyQuote