Skip to content

[BUG] fail2ban does not block ips behind proxy #1761

Closed
#3964
Closed
[BUG] fail2ban does not block ips behind proxy#1761
#3964
Labels
kind/questionSomeone asked a question - feel free to answermeta/help wantedThe OP requests help from others - chime in! :Dpriority/mediumservice/security/fail2ban
@wernerfred

Description

@wernerfred
wernerfred
opened on Jan 22, 2021

Bug Report

Context

Banning IP addresses through fail2ban in the container actually has no affect. I still see a lot of login attempts by IP addresses that are banned in fail2ban.

What is affected by this bug?

  • fail2ban

When does this occur?

After a certain amount of failed login attempts fail2ban banns ip addresses. But today i realized that (at least at my setup) the ban has no effect.

How do we replicate the issue?

  1. Watch the mailserver log after an IP got banned

Behavior

Actual Behavior

IP addresses banned in fail2ban can actually connect to postfix/dovecot and try to login

Expected Behavior

IP addresses banned in fail2ban aren't allowed to connect to postfix/dovecot (according to the ban reason/jail) and connections get canceled immediately.

Your Environment

  • version: v7.2.0
  • available RAM: 4GB
  • Docker version: v20.10.1

Environment Variables

- DMS_DEBUG=0
- ENABLE_CLAMAV=0
- ONE_DIR=1
- ENABLE_FAIL2BAN=1
- ENABLE_MANAGESIEVE=1
- REPORT_RECIPIENT=1
- REPORT_INTERVAL=daily
- SSL_TYPE=letsencrypt
- SPOOF_PROTECTION=1
- POSTFIX_MAILBOX_SIZE_LIMIT=3000000000
- POSTFIX_MESSAGE_SIZE_LIMIT=52428800
- ENABLE_SPAMASSASSIN=1
- SA_TAG=2.0
- SA_TAG2=6.31
- SA_KILL=6.31
- SA_SPAM_SUBJECT=****SPAM****

Relevant Stack Traces

fail2ban status:

Every 60.0s: ./setup.sh debug fail2ban 

Banned in dovecot: 212.70.149.70
Banned in postfix: 212.70.149.70
Banned in postfix-sasl: 212.70.149.70, 178.239.168.169

fail2ban-jail.cf

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 604800

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10800

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

mailserver log with grep on a banned IP:

docker-mailserver | Jan 22 10:16:42 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:16:52 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:17:15 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 3e5a4c)
docker-mailserver | Jan 22 10:17:17 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:17:21 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:17:21 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:18:40 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:18:49 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:19:13 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 377d0e)
docker-mailserver | Jan 22 10:19:15 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:19:18 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:19:18 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:20:37 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:20:47 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:21:11 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 31db12)
docker-mailserver | Jan 22 10:21:13 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:21:17 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:21:17 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:22:35 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:22:44 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:23:08 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 7010e6)
docker-mailserver | Jan 22 10:23:10 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:23:14 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:23:14 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:24:34 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:24:43 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:25:06 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 41cdec)
docker-mailserver | Jan 22 10:25:08 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:25:12 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:25:12 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:26:33 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:26:42 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:27:06 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 6d041d)
docker-mailserver | Jan 22 10:27:08 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:27:12 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:27:12 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:28:32 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:28:41 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:29:05 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: 083d1c)
docker-mailserver | Jan 22 10:29:07 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:29:11 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:29:11 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3
docker-mailserver | Jan 22 10:30:32 mail postfix/smtps/smtpd[1874]: connect from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:30:42 mail postfix/smtps/smtpd[1874]: Anonymous TLS connection established from unknown[212.70.149.70]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)                                                            
docker-mailserver | Jan 22 10:31:06 mail dovecot: auth: passwd-file([email protected],212.70.149.70): unknown user (SHA1 of given password: bf4153)
docker-mailserver | Jan 22 10:31:08 mail postfix/smtps/smtpd[1874]: warning: unknown[212.70.149.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
docker-mailserver | Jan 22 10:31:12 mail postfix/smtps/smtpd[1874]: lost connection after AUTH from unknown[212.70.149.70]
docker-mailserver | Jan 22 10:31:12 mail postfix/smtps/smtpd[1874]: disconnect from unknown[212.70.149.70] ehlo=1 auth=0/1 rset=1 commands=2/3

So I don't know why this happens. Maybe someone familiar with the functionality can assist me in debugging this behavior further.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/questionSomeone asked a question - feel free to answermeta/help wantedThe OP requests help from others - chime in! :Dpriority/mediumservice/security/fail2ban

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions