Fail2ban blocking

darond · March 30, 2020, 10:39am

Before I start thank you for all the hardwork in putting mailinabox together and maintaining it. It has been the perfect solution for me.

I have only had one intermittent issue that I think I have traced the cause of - connecting to mailinabox from my internal home network is intermittently blocked (more so now than when originally setup).

It appears that there are a large number of attempts to connect to mailinabox from one or more devices on my home network leading fail2ban to believe they are malicious and banning my external IP address.

I’m going to whitelist (if my technical skills are up to it - but believe this will be overwritten when upgrading) but any ideas on how to trace which device might be generating the large number of connection attempts?

darond · March 30, 2020, 1:13pm

I have added my IP to the jails.conf file for fail2ban but getting this in /var/log/fail2ban.log after restart:
2020-03-30 13:38:11,240 fail2ban.actions [944]: NOTICE [recidive] Restore Ban my.ip.add.ress

Clearly I’m doing something wrong, jails.conf:
[DEFAULT]
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
# ping services over the public interface so we should whitelist that address of
# ours too. The string is substituted during installation.
ignoreip = 127.0.0.1/8 my.ip.add.ress PUBLIC_IP

darond · March 30, 2020, 1:55pm

Apologies for continually adding to my own post but adding info as I become aware of it. It would appear there are two ‘rogue’ accounts. After turning off all mail clients in the network and looking at mail.log on the email server. I see these accounts logging in multiple times per sec from apparently ‘local machine’ - 127.0.0.1. I have 12 accounts configured over four domains but only these two accounts appear to be doing this. Oddly these two accounts also show as very high in the weekly usage report. Is this normal behaviour?

Preformatted textMar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12744, secured, session=<DiB9nBKijoZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12746, secured, session=<oQp+nBKikIZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12748, secured, session=<bf5+nBKilIZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12750, secured, session=<ndV/nBKimIZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12752, secured, session=<Y4SAnBKinIZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12754, secured, session=<h1WBnBKioIZ/AAAB>
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:42 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=500 out=3611
Mar 30 14:41:51 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12758, secured, session=<ePwGnRKipIZ/AAAB>
Mar 30 14:41:51 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:51 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12760, secured, session=<SQ4InRKiqIZ/AAAB>
Mar 30 14:41:51 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:51 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12762, secured, session=<o28LnRKirIZ/AAAB>
Mar 30 14:41:51 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:41:51 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12764, secured, session=<BTIMnRKisIZ/AAAB>
Mar 30 14:41:51 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:00 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12766, secured, session=<KB+SnRKisoZ/AAAB>
Mar 30 14:42:00 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:00 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12768, secured, session=<ITGWnRKitIZ/AAAB>
Mar 30 14:42:00 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:09 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12770, TLS, session=<IMAcnhKiep1/AAAB>
Mar 30 14:42:09 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=445 out=3005
Mar 30 14:42:09 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12772, TLS, session=<BOcgnhKifJ1/AAAB>
Mar 30 14:42:09 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=445 out=2877
Mar 30 14:42:18 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12776, secured, session=<5dqmnhKivoZ/AAAB>
Mar 30 14:42:18 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:18 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12779, secured, session=<a+ynnhKiwoZ/AAAB>
Mar 30 14:42:18 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:18 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12781, secured, session=<IuGqnhKixoZ/AAAB>
Mar 30 14:42:18 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:18 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12783, secured, session=<yJWrnhKiyoZ/AAAB>
Mar 30 14:42:18 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:27 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12785, secured, session=<gysynxKizIZ/AAAB>
Mar 30 14:42:27 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:27 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12787, secured, session=<sKs1nxKizoZ/AAAB>
Mar 30 14:42:27 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:36 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12790, TLS, session=<7+K8nxKikp1/AAAB>
Mar 30 14:42:36 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=445 out=3005
Mar 30 14:42:36 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12792, TLS, session=<Kk7AnxKilJ1/AAAB>
Mar 30 14:42:36 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=445 out=2877
Mar 30 14:42:45 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12796, secured, session=<7OxGoBKi1oZ/AAAB>
Mar 30 14:42:45 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:45 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12799, secured, session=<H8pHoBKi2oZ/AAAB>
Mar 30 14:42:45 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:45 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12801, secured, session=<4VBKoBKi3oZ/AAAB>
Mar 30 14:42:45 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:45 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12803, secured, session=<4jxLoBKi4oZ/AAAB>
Mar 30 14:42:45 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:54 imap-login: Info: Login: user=<account1( at )domain2 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12806, secured, session=<u/XRoBKi5IZ/AAAB>
Mar 30 14:42:54 imap(account1( at )domain2 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:42:54 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12808, secured, session=<qCjVoBKi5oZ/AAAB>
Mar 30 14:42:54 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=12 out=412
Mar 30 14:43:03 imap-login: Info: Login: user=<account1( at )domain1 dot co dot uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12811, TLS, session=<lKJQoRKiqp1/AAAB>
Mar 30 14:43:03 imap(account1( at )domain1 dot co dot uk): Info: Logged out in=445 out=2877

alento · March 30, 2020, 3:30pm

@darond Are (were) those two accounts logged in to web mail at the time?

That is what those entries appear to be to me.

darond · March 30, 2020, 4:46pm

@alento, a sensible suggestion and yes both accounts (as the others) had at some time been logged into webmail. To be sure I’ve logged into one of the accounts on webmail and then logged back out but the entries are still being generated.

darond · March 30, 2020, 9:10pm

Update: I have now confirmed fail2ban was blocking the external facing IP address of my internal network. Despite adding my external IP into the whitelist it didn’t pick up and when restarting the fail2ban service the log file showed the IP as a re-ban from the recidive jail. Managed to use the fail2ban client to unban with:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

Now it doesn’t of course resolve why the address is being banned…