I want to block a specific IP semi permanently
I tried this command:
fail2ban-client set JAIL banip 95.172.129.178
with response:
NOK: (‘JAIL’,)
Sorry but the jail ‘JAIL’ does not exist
clearly I need to replace ‘JAIL’ with and appropriate name - but what?
Hoping to stop being hit with mail bounces real soon!
Thanks
Stef
OK
decided to use
fail2ban-client set recidive banip 95.172.129.178
which worked.
The spammer/faulty server switched to the next address, which I then banned. And now silence.
The unwanted traffic was coming in on port 25, at the rate of 20+ email /sec. reporting an email bounce.
So really I’d like to know why fail2ban didn’t stop this traffic by itself. I had restarted fail2ban with no effect.
I could see it banning sshd attempts.
Anyway panic over for now
Stef
There probably is no matching filter/jail defined in fail2ban for the report that you saw. That might or might not have been on purpose, depending on the exact report that is present in the logs. Can you provide an (anonymized) example of the unwanted traffic?
Also note that the bantime of recidive is by default set to 1 week (I think). This means fail2ban will remove the ban after a week, so you might want to check recurrence of the noisy ip at that time.
I personally would use ufw to block the IP instead.
sudo ufw deny from {ip-address-here} to any (do not use the brackets)
sudo ufw reload
Below is a sample of the emails. They were arriving at > 30 per minute.
I did check for any mention of the source IP in the logs and jails, but didn’t find any.
As I understand it fail2ban blocks multiple connection attempts to services. But once you’ve made a single connection to port25 you can send as many emails as you like as part of the same connection. (emails with bcc recipients rely on this)
So I am not sure that fail2ban is what would be blocking such an attack (or faulty behaviour - to be generous). Is there any defence in MIAB and if so what could be wrong with my system.?
BlockquoteReturn-Path: <>
Delivered-To: stef@mail.com
Received: from mymailbox.co.uk ([127.0.0.1])
by mymailbox.co.uk with LMTP id ePvrNkNfM2HdGQAAaZtI8A
for stef@mail.com; Sat, 04 Sep 2021 12:57:55 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mymailbox.co.uk
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.6 required=5.0 tests=BAYES_00,DMARC_FAIL_REJECT,
FREEMAIL_FROM,SPF_HELO_NONE,SPF_NONE,SPOOFED_FREEMAIL autolearn=no
autolearn_force=no version=3.4.2
X-Spam-Report:
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 10 DMARC_FAIL_REJECT DMARC check failed (p=reject)
* 2.0 SPF_NONE SPF record not found
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru) (mailer-daemon[at]au.ru)
* (mailer-daemon[at]au.ru)
* 1.5 SPOOFED_FREEMAIL No description available.
X-Spam-Score: 11.6
Received: from mx5.au.ru (mx5.au.ru [95.172.129.178])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mymailbox.co.uk (Postfix) with ESMTPS id 9969B81BE6
for opendmarc@mymailbox.co.uk; Sat, 4 Sep 2021 12:57:55 +0100 (BST)
Authentication-Results: mymailbox.co.uk; dmarc=fail (p=reject dis=none) header.from=au.ru
Authentication-Results: mymailbox.co.uk; spf=none smtp.helo=mx5.au.ru
Authentication-Results: mymailbox.co.uk; dkim=none; dkim-atps=neutral
Received: by mx5.au.ru (Postfix)
id AFF822C8024B; Sat, 4 Sep 2021 18:57:54 +0700 (+07)
Date: Sat, 4 Sep 2021 18:57:54 +0700 (+07)
From: MAILER-DAEMON@au.ru (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: opendmarc@mymailbox.co.uk
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary=“978212C8519F.1630756674/mx5.au.ru”
Content-Transfer-Encoding: 7bit
Message-Id: 20210904115754.AFF822C8024B@mx5.au.ru
This is a MIME-encapsulated message.
–978212C8519F.1630756674/mx5.au.ru
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host mx5.au.ru.
I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
#sps@au.ru (expanded from postmaster@au.ru): user unknown
–978212C8519F.1630756674/mx5.au.ru
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; mx5.au.ru
X-Postfix-Queue-ID: 978212C8519F
X-Postfix-Sender: rfc822; opendmarc@mymailbox.co.uk
Arrival-Date: Sat, 4 Sep 2021 18:57:54 +0700 (+07)
Final-Recipient: rfc822; #sps@au.ru
Original-Recipient: rfc822;postmaster@au.ru
Action: failed
Status: 5.1.1
Diagnostic-Code: x-unix; user unknown
–978212C8519F.1630756674/mx5.au.ru
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Return-Path: opendmarc@mymailbox.co.uk
Received: from localhost (unknown [127.0.0.1])
by mx5.au.ru (Postfix) with ESMTP id 978212C8519F
for postmaster@au.ru; Sat, 4 Sep 2021 11:57:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at au.ru
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-200 required=5.2
tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: mx10.au.ru (amavisd-new); dkim=neutral
reason=“invalid (public key: not available)”
header.d=mymailbox.co.uk
Received: from mymailbox.co.uk (mymailbox.co.uk [176.126.246.76])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mx5.au.ru (Postfix) with ESMTPS id 668FD2C8024B
for postmaster@au.ru; Sat, 4 Sep 2021 18:57:52 +0700 (+07)
Received: by mymailbox.co.uk (Postfix, from userid 116)
id 777C982942; Sat, 4 Sep 2021 12:57:51 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mymailbox.co.uk;
s=mail; t=1630756671;
bh=LvbOqlwP2DpLQ4F6b+quEaosfxZkyHUpviOi08f/63s=;
h=From:To:Date:Subject:From;
b=XgQ3YVaZYV7RmzXOV3qEuPuOFOZMXsRYSF/pRadT1PS7CwM9AgTllAMfldo2j10Ys
VcFBhg14TeuM1OH/PiucdQNie0ogZpvbGxccsLEcBHCnQ5iuj7hjeXLReSQkSvIhID
Z+3iyCHWmsNvrW2fJv1C/kFcEN9ICCWptPk0h0g7X6/cChCkP8SD2BZVzaxnpvX483
wIGimEtrnCYP8rR1hesH2XI5FAmy3oqUY4DFZqJivUvYoE4Iqv8eRqCr2UfDDADR1c
aMRM0BxYUEijQv13bWqajkNY1o2Rp0SVoGhrh/6hBSzHbAv221awhrBWET3hlgr9Db
xpvP8S37rFIfg==
From: OpenDMARC Filter opendmarc@mymailbox.co.uk
To: postmaster@au.ru
Date: Sat, 4 Sep 2021 12:57:51 +0100 (BST)
Subject: FW: Undelivered Mail Returned to Sender
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=feedback-report;
boundary=“mymailbox.co.uk:375E581BE6”
Message-Id: 20210904115751.777C982942@mymailbox.co.uk
–mymailbox.co.uk:375E581BE6
Content-Type: text/plain
This is an authentication failure report for an email message received from IP
95.172.129.178 on Sat, 4 Sep 2021 12:57:51 +0100 (BST).
–mymailbox.co.uk:375E581BE6
Content-Type: message/feedback-report
Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: mymailbox.co.uk; dmarc=fail header.from=au.ru
Original-Envelope-Id: 375E581BE6
Original-Mail-From:
Source-IP: 95.172.129.178 (mx5.au.ru)
Reported-Domain: au.ru
–mymailbox.co.uk:375E581BE6
Content-Type: text/rfc822-headers
Authentication-Results: mymailbox.co.uk; dkim=none; dkim-atps=neutral
Received: by mx5.au.ru (Postfix)
id 55A072C8024B; Sat, 4 Sep 2021 18:57:50 +0700 (+07)
Date: Sat, 4 Sep 2021 18:57:50 +0700 (+07)
From: MAILER-DAEMON@au.ru (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: opendmarc@mymailbox.co.uk
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary=“3C30F2C8519F.1630756670/mx5.au.ru”
Content-Transfer-Encoding: 7bit
Message-Id: 20210904115750.55A072C8024B@mx5.au.ru
–mymailbox.co.uk:375E581BE6–
–978212C8519F.1630756674/mx5.au.ru–
Yes thanks for that!
Stef
From the command line run @stefbishop
mailq
Is there any significant output? Significant being defined as emails in queue OTHER THAN THOSE which you may have just sent yourself or by one of your users?
There was but not now!
Indeed, in that case fail2ban will not help you. Alento’s solution works quite well in any case.
This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.