[TUTORIAL] Install Fail2ban

killmasta93

Renowned Member
Aug 13, 2017
973
57
68
30
Recently was looking though the logs and found alot of this
Code:
Dec 24 13:58:07 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:07 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:58941 to [192.168.3.141]:25
Dec 24 13:58:07 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:58941
Dec 24 13:58:07 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:07 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:08 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:08 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:09 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59015 to [192.168.3.141]:25
Dec 24 13:58:09 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59015
Dec 24 13:58:09 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:09 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:09 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:09 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:10 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59108 to [192.168.3.141]:25
Dec 24 13:58:10 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59108
Dec 24 13:58:10 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:10 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:11 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:11 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:11 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59182 to [192.168.3.141]:25
Dec 24 13:58:11 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59182
Dec 24 13:58:11 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:11 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:12 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:12 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:12 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59275 to [192.168.3.141]:25
Dec 24 13:58:12 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59275

so if anyone else has the same issue what helped was fail2ban and these are the steps, feel free to add if i missed something

1) install fail2ban
Code:
apt-get install fail2ban

2) then copy the configs
Code:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3) then create rule
Code:
nano /etc/fail2ban/filter.d/postfix-auth.conf
and add this
Code:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =



4) then edit the config
Code:
 nano /etc/fail2ban/jail.local

5) add this line at the bottom (port the ports i have 2 email servers which use another ports which is why the 28 and 27)
Code:
[postfix-auth]
enabled  = true
port     = smtp,ssmtp,28,27
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /var/log/mail.info
maxretry = 2
bantime = 36000
findtime = 300

then restart fail2ban and to check run
iptables -L -n
and as you see it blocked that user was spamming
Code:
Chain f2b-SMTP-auth (1 references)
target     prot opt source               destination
REJECT     all  --  110.82.240.28        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
 
  • Like
Reactions: DerDanilo
I was recently looking at the logs saw alots of pregreets and hangups so to block these do the following

Code:
cd /etc/fail2ban/filter.d/
then
Code:
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/postfix-pregreet.iredmail.conf

then were going to add this line below the postfix section
Code:
nano /etc/fail2ban/jail.local

Code:
[postfix-pregreet-iredmail]
enabled     = true
filter      = postfix-pregreet.iredmail
logpath     = /var/log/syslog
maxretry    = 1
action      = iptables-multiport[name=postfix, port="25", protocol=tcp]

and restart fail2ban

should see this

Code:
Chain f2b-postfix (1 references)
target     prot opt source               destination         
REJECT     all  --  192.99.7.175         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.49.227.49         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Hope this helps someone
 
o wait normally its to copy the conf to local but for me it has worked this way so im guessing its a must or if some could correct me if im wrong.
 
I have only experience on Debian, but there jail.conf is read first, jail.local last. Found this on man page:
In .local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding .conf file which is parsed first.

So the Debian way is to create jail.local, copy there only the jails I want to modify. Enable the jails (seems everything is disabled in jail.conf, sshd gets enabled in jail.d/defaults-debian.conf). Then upgrades etc. do not mess modifications, they are safely in jail.local and maintainer can write a new jail.conf.
 
  • Like
Reactions: killmasta93

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!