Skip to content

[BUG] Fail2ban not blocking ip ranges when captured as a custom ban #2669

Closed
#2818
Closed
[BUG] Fail2ban not blocking ip ranges when captured as a custom ban#2669
#2818
Assignees
casperklein
Labels
meta/needs triageThis issue / PR needs checks and verification from maintainerspriority/mediumstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI
@ianb445

Description

@ianb445
ianb445
opened on Jun 29, 2022

Miscellaneous first checks

  • I checked that all ports are open and not blocked by my ISP / hosting provider.
  • I know that SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself. I'm confident my setup is correct.

Affected Component(s)

fail2ban is not actually invoking any iptables or equivalent ban

What happened and when does this occur?

Although I can add custom ip's and ranges to be blocked using ./setup.sh fail2ban ban 123.123.0.0/16 the range is not actually being blocked.

#Fail2ban-client status custom 
Status for the jail: custom
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   141.98.0.0/16 45.125.0.0/16

However in the standard logs:

Jun 29 12:56:04 mail postfix/submission/smtpd[2368]: warning: hostname good-server.outreachratio.com does not resolve to address 141.98.10.70: Name or service not known
Jun 29 12:56:04 mail postfix/submission/smtpd[2368]: connect from unknown[141.98.10.70]
Jun 29 12:56:05 mail postfix/submission/smtpd[2368]: Anonymous TLS connection established from unknown[141.98.10.70]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 29 12:56:05 mail dovecot: auth: passwd-file(scans,141.98.10.70): unknown user (SHA1 of given password: 5baa61)
Jun 29 12:56:07 mail postfix/submission/smtpd[2368]: warning: unknown[141.98.10.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 12:56:07 mail postfix/submission/smtpd[2368]: disconnect from unknown[141.98.10.70] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5

What did you expect to happen?

I can see that ip: 141.98.10.70 is still able to connect and try to authenticate.

How do we replicate the issue?

1. Deploy mailserver and watch the logs for disctionary attacks.
2.
3.
...

DMS version

latest

What operating system is DMS running on?

Linux

What instruction set architecture is DMS running on?

x86_64 / AMD64

What container orchestration tool are you using?

Docker Compose

docker-compose.yml

version: "3.3"
services:
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    # If the FQDN for your mail-server is only two labels (eg: example.com),
    # you can assign this entirely to `hostname` and remove `domainname`.
    hostname: mail
    domainname: <<redacted>>
    env_file: mailserver.env
    # More information about the mail-server ports:
    # https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/
    # To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS)
      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"  # ESMTP (implicit TLS)
      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "993:993"  # IMAP4 (implicit TLS)
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/dms/fail2ban/jail.d/:/etc/fail2ban/jail.d
      - /etc/localtime:/etc/localtime:ro
      - /etc/letsencrypt/:/etc/letsencrypt/
    environment:
      - OVERRIDE_HOSTNAME=mail.<<redacted>>
      - ENABLE_FAIL2BAN=1
      - SSL_TYPE=letsencrypt
    restart: always
    stop_grace_period: 1m
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

Relevant log output

Jun 29 12:56:04 mail postfix/submission/smtpd[2368]: warning: hostname good-server.outreachratio.com does not resolve to address 141.98.10.70: Name or service not known
Jun 29 12:56:04 mail postfix/submission/smtpd[2368]: connect from unknown[141.98.10.70]
Jun 29 12:56:05 mail postfix/submission/smtpd[2368]: Anonymous TLS connection established from unknown[141.98.10.70]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 29 12:56:05 mail dovecot: auth: passwd-file(scans,141.98.10.70): unknown user (SHA1 of given password: 5baa61)
Jun 29 12:56:07 mail postfix/submission/smtpd[2368]: warning: unknown[141.98.10.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 12:56:07 mail postfix/submission/smtpd[2368]: disconnect from unknown[141.98.10.70] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5

Other relevant information

No response

What level of experience do you have with Docker and mail servers?

  • I am inexperienced with docker
  • I am inexperienced with mail servers
  • I am uncomfortable with the CLI

Code of conduct

Improvements to this form?

No response

Metadata

Metadata

Assignees

Labels

meta/needs triageThis issue / PR needs checks and verification from maintainerspriority/mediumstale-bot/ignoreIndicates that this issue / PR shall not be closed by our stale-checking CI

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions