What can I do about these connections?

Keith_Rettig · August 8, 2023, 4:05pm

Log entry:
Aug 7 22:25:37 mail postfix/submission/smtpd[62197]: disconnect from unknown[46.148.40.197] ehlo=1 auth=0/1 rset=1 commands=2/3

About every 10 seconds. Different IP address each time; pool of about 7 IP addresses.
Never getting added to the banned list. Am I understanding this wrong? I thought it was automatic?

Thanks for some clarity.
Keith.

andrew · August 8, 2023, 10:41pm

Hi, fail2ban will block connections like that - but only when they reach a threshold number of attempts in a specific time. Presumably that source has tuned its rate to stay under the default threshold.

You could change the thresholds but note: any changes will get overwritten with MIAB updates, and be careful you don’t block legitimate traffic!

Personally, I’ve seen multiple attacks from 46.148.40.0/24 and I blocked the entire subnet I “might” miss out on real email but I’ll take that risk.

Keith_Rettig · August 9, 2023, 1:21am

So to ask such a noob question, but where do I block the entire subnet? I have a bunch of others from my other email server I would love to block in MIAB too.

andrew · August 9, 2023, 4:16am

I use iptables, this should do the trick. It will disappear on reboot, so you might want to put it in a boot-time script (needs to run as root), or you can just execute it whenever 46.148.40.x are harassing you!

sudo iptables -I INPUT -s 46.148.40.0/24 -j DROP

Keith_Rettig · September 8, 2023, 6:44pm

Thank you for this; it has been very helpful.

gezza · September 10, 2023, 8:08am

Not sure if this will help but to make rules permanent run: iptables-persistent, you may need to install it first.

Cheers

andrew · September 10, 2023, 1:11pm

Take a little care with iptables-persistent. It will restore whatever was in place when the rules were saved, which might include temporary blocks added by fail2ban - blocks that you don’t really want to be persistent!

lvdd · September 11, 2023, 9:39am

Instead of iptables you can also use fail2ban-client: For the subnet mentioned by @andrew I run: sudo fail2ban-client set recidive banip 46.148.40.0/24
This puts the ip/subnet in the recidive jail and blocks everything from there for 7 days (I think). Recidive is a default fail2ban jail, which can be easily used for that.

Keith_Rettig · September 11, 2023, 10:35am

So I have zero tolerance for these folks. Is there a way I tell fail2ban to just keep them in jail for a year?

lvdd · September 11, 2023, 11:15am

AFAIK, only when you create a new jail with a bantime for that year. There doesn’t seem to be an existing jail like this on a default MIAB installation.
But then you are deviating from the default again and might need to redo those changes after a MIAB upgrade.