Subject
Other
Description
The new fail2ban version in 12.0.0 seems to block servers using the ssl-certificate-expiry munin plugin.
Right after the deployment we banned our own monitoring servers (i have an additional supervisor service running showing bans right in the container output):
mail | Apr 13 11:46:53 mail postfix/smtpd[2507]: connect from redacted.domain.tld[256.256.256.256]
mail | Apr 13 11:46:53 mail postfix/smtpd[2507]: Anonymous TLS connection established from redacted.domain.tld[256.256.256.256]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mail | Apr 13 11:46:53 mail postfix/smtpd[2507]: lost connection after STARTTLS from redacted.domain.tld[256.256.256.256]
mail | Apr 13 11:46:53 mail postfix/smtpd[2507]: disconnect from redacted.domain.tld[256.256.256.256] ehlo=1 starttls=1 commands=2
mail | Apr 13 11:46:53 mail postfix/smtps/smtpd[2846]: connect from redacted.vpn[10.256.256.256]
mail | Apr 13 11:46:53 mail postfix/smtps/smtpd[2846]: Anonymous TLS connection established from redacted.vpn[10.256.256.256]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mail | Apr 13 11:46:53 mail postfix/smtps/smtpd[2846]: lost connection after CONNECT from redacted.vpn[10.256.256.256]
mail | Apr 13 11:46:53 mail postfix/smtps/smtpd[2846]: disconnect from redacted.vpn[10.256.256.256] commands=0/0
mail | Apr 13 11:46:53 mail postfix/submission/smtpd[2852]: connect from redacted.vpn[10.256.256.256]
mail | Apr 13 11:46:53 mail postfix/submission/smtpd[2852]: Anonymous TLS connection established from redacted.vpn[10.256.256.256]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mail | Apr 13 11:46:53 mail postfix/submission/smtpd[2852]: lost connection after STARTTLS from redacted.vpn[10.256.256.256]
mail | Apr 13 11:46:53 mail postfix/submission/smtpd[2852]: disconnect from redacted.vpn[10.256.256.256] ehlo=1 starttls=1 commands=2
mail | 2023-04-13 11:46:53,689 fail2ban.filter [849]: INFO [postfix] Found 256.256.256.256 - 2023-04-13 11:46:53
mail | 2023-04-13 11:46:53,691 fail2ban.filter [849]: INFO [postfix] Found 10.256.256.256 - 2023-04-13 11:46:53
mail | 2023-04-13 11:46:53,697 fail2ban.filter [849]: INFO [postfix] Found 10.256.256.256 - 2023-04-13 11:46:53
mail | 2023-04-13 11:46:54,001 fail2ban.actions [849]: NOTICE [postfix] Ban 256.256.256.256
mail | 2023-04-13 11:46:54,005 fail2ban.actions [849]: NOTICE [postfix] Ban 10.256.256.256
I'm still investigating which fail2ban filter expression / mode banned the monitoring server.
Edit: first i thought it was the smtp_hello_ plugin, but that didn't use STARTTLS in the code, i could then reproduce it with ssl-certificate-expiry
Subject
Other
Description
The new fail2ban version in 12.0.0 seems to block servers using the ssl-certificate-expiry munin plugin.
Right after the deployment we banned our own monitoring servers (i have an additional supervisor service running showing bans right in the container output):
I'm still investigating which fail2ban filter expression / mode banned the monitoring server.
Edit: first i thought it was the smtp_hello_ plugin, but that didn't use STARTTLS in the code, i could then reproduce it with ssl-certificate-expiry