Recidive fail2ban

Bonjour,

Sur une serveur Debian 9 Fail2ban a banni un certain nombre d’IP suivant la règle recidive:

[recidive]

enabled = true
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day

# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed: 129
|  |- Total failed:     537
|  `- File list:        /var/log/fail2ban.log
`- Actions
   |- Currently banned: 51
   |- Total banned:     51
   `- Banned IP list:   92.63.194.121 129.28.191.55 103.233.153.146 106.13.200.7 222.242.223.75 197.248.16.118 62.48.150.175 168.243.91.19 130.61.28.159 187.122.102.4 157.230.91.45 81.74.229.246 175.124.43.123 206.189.162.87 129.211.27.10 106.12.94.65 139.217.103.62 13.94.57.155 188.254.0.197 52.172.138.31 222.186.175.161 110.80.17.26 222.186.180.9 185.17.41.198 170.150.155.102 194.84.17.5 123.207.86.68 139.99.219.208 144.217.15.161 89.248.168.221 171.244.51.114 118.24.135.240 123.206.74.50 222.186.42.4 92.222.216.81 121.162.131.223 222.186.173.142 45.82.153.37 222.186.180.223 222.186.173.183 139.59.94.192 129.213.18.41 159.224.66.240 222.186.180.6 222.186.175.220 141.98.80.81 103.36.84.100 112.85.42.185 106.13.81.18 41.207.182.133 92.222.77.175

Mais je continue à voir toutes les minutes des messages concernant ces IP bannies:

...
2019-10-07 08:41:21,847 fail2ban.actions        [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 08:43:36,280 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:43:36
2019-10-07 08:46:43,739 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:46:43
2019-10-07 08:47:37,812 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:47:37
2019-10-07 08:50:01,014 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:50:00
2019-10-07 08:50:53,687 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:50:53
2019-10-07 08:50:54,393 fail2ban.actions        [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 08:53:04,466 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:53:04
2019-10-07 08:54:01,145 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:54:01
2019-10-07 08:56:17,328 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:56:17
2019-10-07 08:57:02,586 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:57:02
2019-10-07 08:59:23,577 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 08:59:23
2019-10-07 08:59:23,652 fail2ban.actions        [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 09:00:21,653 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:00:21
2019-10-07 09:02:34,621 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:02:34
2019-10-07 09:03:28,491 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:03:28
2019-10-07 09:05:44,476 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:05:44
2019-10-07 09:06:32,543 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:06:32
2019-10-07 09:06:32,804 fail2ban.actions        [15857]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-07 09:09:01,149 fail2ban.filter         [15857]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-07 09:09:01

Pourquoi ces messages toutes les 2 minutes si cette IP a été bannies par une règle iptables pour une semaine ?

iptables -L -v
...
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     139.59.4.224         anywhere             reject-with icmp-port-unreachable
   22  1720 REJECT     all  --  any    any     ns3118043.ip-51-38-57.eu  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     103.76.21.181        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     27.50.162.82         anywhere             reject-with icmp-port-unreachable
   17  1348 REJECT     all  --  any    any     76.121.175.61.dial.hu.zj.dynamic.163data.com.cn  anywhere             reject-with icmp-port-unreachable
   19  1516 REJECT     all  --  any    any     222.186.175.169      anywhere             reject-with icmp-port-unreachable
   12   896 REJECT     all  --  any    any     selvamotor.emcali.net.co  anywhere             reject-with icmp-port-unreachable
   24  1840 REJECT     all  --  any    any     140.143.98.35        anywhere             reject-with icmp-port-unreachable
   39  2700 REJECT     all  --  any    any     139.217.102.155      anywhere             reject-with icmp-port-unreachable
   25  1916 REJECT     all  --  any    any     89.216.47.154        anywhere             reject-with icmp-port-unreachable
   28  2088 REJECT     all  --  any    any     125.ip-217-182-74.eu  anywhere             reject-with icmp-port-unreachable
   23  1596 REJECT     all  --  any    any     139.155.44.100       anywhere             reject-with icmp-port-unreachable
   31  1672 REJECT     all  --  any    any     221.150.15.200       anywhere             reject-with icmp-port-unreachable
   30  2208 REJECT     all  --  any    any     167.71.91.228        anywhere             reject-with icmp-port-unreachable
   34  2440 REJECT     all  --  any    any     160.ip-213-32-67.eu  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     175.ip-92-222-77.eu  anywhere             reject-with icmp-port-unreachable
   19  1612 REJECT     all  --  any    any     222.186.175.217      anywhere             reject-with icmp-port-unreachable
   34  2448 REJECT     all  --  any    any     215.39.73.34.bc.googleusercontent.com  anywhere             reject-with icmp-port-unreachable
   35  2508 REJECT     all  --  any    any     162.243.10.64        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     41.207.182.133       anywhere             reject-with icmp-port-unreachable
   18  1368 REJECT     all  --  any    any     222.186.190.92       anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     106.13.81.18         anywhere             reject-with icmp-port-unreachable
 200K  447M RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-postfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
48087 9218K RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-pureftpd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  485 29639 RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-recidive (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   18  1448 REJECT     all  --  any    any     139.59.4.224         anywhere             reject-with icmp-port-unreachable
   17  1304 REJECT     all  --  any    any     103.76.21.181        anywhere             reject-with icmp-port-unreachable
   20  1560 REJECT     all  --  any    any     27.50.162.82         anywhere             reject-with icmp-port-unreachable
   31  2272 REJECT     all  --  any    any     175.ip-92-222-77.eu  anywhere             reject-with icmp-port-unreachable
   33  2388 REJECT     all  --  any    any     41.207.182.133       anywhere             reject-with icmp-port-unreachable
   30  2120 REJECT     all  --  any    any     106.13.81.18         anywhere             reject-with icmp-port-unreachable
  390 23728 REJECT     all  --  any    any     112.85.42.185        anywhere             reject-with icmp-port-unreachable
   44  2968 REJECT     all  --  any    any     103.36.84.100        anywhere             reject-with icmp-port-unreachable
   49  3123 REJECT     all  --  any    any     141.98.80.81         anywhere             reject-with icmp-port-unreachable
   16  1360 REJECT     all  --  any    any     222.186.175.220      anywhere             reject-with icmp-port-unreachable
   28  2064 REJECT     all  --  any    any     222.186.180.6        anywhere             reject-with icmp-port-unreachable
   53  3596 REJECT     all  --  any    any     240.66.224.159.triolan.net  anywhere             reject-with icmp-port-unreachable
   47  3228 REJECT     all  --  any    any     129.213.18.41        anywhere             reject-with icmp-port-unreachable
   56  3768 REJECT     all  --  any    any     129360.cloudwaysapps.com  anywhere             reject-with icmp-port-unreachable
   19  1636 REJECT     all  --  any    any     222.186.173.183      anywhere             reject-with icmp-port-unreachable
   20  1580 REJECT     all  --  any    any     222.186.180.223      anywhere             reject-with icmp-port-unreachable
   50  2931 REJECT     all  --  any    any     45.82.153.37         anywhere             reject-with icmp-port-unreachable
   29  2120 REJECT     all  --  any    any     222.186.173.142      anywhere             reject-with icmp-port-unreachable
   46  3084 REJECT     all  --  any    any     121.162.131.223      anywhere             reject-with icmp-port-unreachable
   45  3100 REJECT     all  --  any    any     81.ip-92-222-216.eu  anywhere             reject-with icmp-port-unreachable
   19  1612 REJECT     all  --  any    any     222.186.42.4         anywhere             reject-with icmp-port-unreachable
   62  4116 REJECT     all  --  any    any     123.206.74.50        anywhere             reject-with icmp-port-unreachable
   46  3164 REJECT     all  --  any    any     118.24.135.240       anywhere             reject-with icmp-port-unreachable
   32  2224 REJECT     all  --  any    any     171.244.51.114       anywhere             reject-with icmp-port-unreachable
   23  1380 REJECT     all  --  any    any     89.248.168.221       anywhere             reject-with icmp-port-unreachable
   43  2988 REJECT     all  --  any    any     161.ip-144-217-15.net  anywhere             reject-with icmp-port-unreachable
   42  2880 REJECT     all  --  any    any     139.99.219.208       anywhere             reject-with icmp-port-unreachable
   37  2588 REJECT     all  --  any    any     123.207.86.68        anywhere             reject-with icmp-port-unreachable
   49  3308 REJECT     all  --  any    any     mail.severstalauto.com  anywhere             reject-with icmp-port-unreachable
   50  3360 REJECT     all  --  any    any     static.102.155.150.170.cps.com.ar  anywhere             reject-with icmp-port-unreachable
   41  2876 REJECT     all  --  any    any     vi185-17-41-198.vibiznes.pl  anywhere             reject-with icmp-port-unreachable
   44  3044 REJECT     all  --  any    any     222.186.180.9        anywhere             reject-with icmp-port-unreachable
   48  3248 REJECT     all  --  any    any     110.80.17.26         anywhere             reject-with icmp-port-unreachable
   19  1528 REJECT     all  --  any    any     222.186.175.161      anywhere             reject-with icmp-port-unreachable
   85  5508 REJECT     all  --  any    any     52.172.138.31        anywhere             reject-with icmp-port-unreachable
   45  3076 REJECT     all  --  any    any     188.254.0.197        anywhere             reject-with icmp-port-unreachable
  151  9420 REJECT     all  --  any    any     13.94.57.155         anywhere             reject-with icmp-port-unreachable
  142  8888 REJECT     all  --  any    any     139.217.103.62       anywhere             reject-with icmp-port-unreachable
   56  3728 REJECT     all  --  any    any     106.12.94.65         anywhere             reject-with icmp-port-unreachable
   34  2388 REJECT     all  --  any    any     129.211.27.10        anywhere             reject-with icmp-port-unreachable
   52  3528 REJECT     all  --  any    any     206.189.162.87       anywhere             reject-with icmp-port-unreachable
   44  2952 REJECT     all  --  any    any     175.124.43.123       anywhere             reject-with icmp-port-unreachable
   49  3356 REJECT     all  --  any    any     ahc-rm3-10.rminv.alcdn.interbusiness.it  anywhere             reject-with icmp-port-unreachable
   46  3168 REJECT     all  --  any    any     252407.cloudwaysapps.com  anywhere             reject-with icmp-port-unreachable
   42  2984 REJECT     all  --  any    any     bb7a6604.virtua.com.br  anywhere             reject-with icmp-port-unreachable
   24  1844 REJECT     all  --  any    any     130.61.28.159        anywhere             reject-with icmp-port-unreachable
   50  2924 REJECT     all  --  any    any     static-243.90.19.pddh.gob.sv  anywhere             reject-with icmp-port-unreachable
   56  3768 REJECT     all  --  any    any     adsl-62-48-150-175.ptprime.net  anywhere             reject-with icmp-port-unreachable
   52  3572 REJECT     all  --  any    any     197-248-16-118.safaricombusiness.co.ke  anywhere             reject-with icmp-port-unreachable
   39  2476 REJECT     all  --  any    any     222.242.223.75       anywhere             reject-with icmp-port-unreachable
   59  3936 REJECT     all  --  any    any     106.13.200.7         anywhere             reject-with icmp-port-unreachable
   32  2132 REJECT     all  --  any    any     103.233.153.146      anywhere             reject-with icmp-port-unreachable
   22  1672 REJECT     all  --  any    any     129.28.191.55        anywhere             reject-with icmp-port-unreachable
  114  6776 REJECT     all  --  any    any     92.63.194.121        anywhere             reject-with icmp-port-unreachable
 591K  537M RETURN     all  --  any    any     anywhere             anywhere            
# Warning: iptables-legacy tables present, use iptables-legacy to see them

Comment sont réglés le temps de bannissement (bantime) et la période recherche (findtime) pour le « jail » [postfix-sasl] ?

J’étais à 10mn en bantime et suis passé à 60. Le find est 10mn

Est-ce que tu as constaté une différence après cette modification ?
Il faut que bantime > findtime sinon fail2ban va sans arrêt essayer de dé-bannir des IP qu’il va bannir immédiatement à nouveau.

Mais je ne pense pas que ce soit la cause des nombreux x.x.x. already banned. La cause est certainement une mauvaise configuration de fail2ban et en particulier du jail postfix-sasl :

  • mauvaise configuration des ports ;
  • mauvaise configuration des logs ;
  • répétition du même jail postfix-sasl dans la configuration ;
  • etc.

Il faudrait un retour du test de la configuration :
fail2ban-client -t
Et éventuellement une sortie de l’ensemble de la configuration :
fail2ban-client --dp

J’ai fait plusieurs modifs simultanément et plusieurs IP se sont trouvées bannies qui ne l’étaient pas mais je ne pourrais garantir si c’est l’accroissement du bantime qui en est l’origine.

En réponse à tes autres suggestions:

fail2ban-client -t
OK: configuration test is successful

La réponse à fail2ban-client --dp (je ne mets pas tout pour ne pas polluer le forum):

...
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'addignoreregex', 'authentication failed: Connection lost to authentication server$']
['set', 'postfix-sasl', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/(?:submission/|smtps/)?smtp[ds](?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?warning: [-._\\w]+\\[<HOST>\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'datepattern', '{^LN-BEG}']
['set', 'postfix-sasl', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn', 'head']
['set', 'postfix-sasl', 'logencoding', 'auto']
['set', 'postfix-sasl', 'maxretry', 5]
['set', 'postfix-sasl', 'findtime', '600']
['set', 'postfix-sasl', 'bantime', '3600']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
[ 'multi-set',
  'postfix-sasl',
  'action',
  'iptables-multiport',
  [ ['actionstart', '<iptables> -N f2b-postfix-sasl\n<iptables> -A f2b-postfix-sasl -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl'],
    ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl\n<iptables> -F f2b-postfix-sasl\n<iptables> -X f2b-postfix-sasl'],
    ['actionflush', '<iptables> -F f2b-postfix-sasl'],
    ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-postfix-sasl[ \\t]'"],
    ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s <ip> -j <blocktype>'],
    ['actionunban', '<iptables> -D f2b-postfix-sasl -s <ip> -j <blocktype>'],
    ['name', 'postfix-sasl'],
    ['bantime', '3600'],
    ['port', 'smtp,465,submission,imap3,imaps,pop3,pop3s'],
    ['protocol', 'tcp'],
    ['chain', 'INPUT'],
    ['actname', 'iptables-multiport'],
    ['blocktype', 'REJECT --reject-with icmp-port-unreachable'],
    ['returntype', 'RETURN'],
    ['lockingopt', '-w'],
    ['iptables', 'iptables <lockingopt>'],
    ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'],
    ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['add', 'mysqld-auth', 'auto']
...

Concernant les éventuels doublons:

rgrep postfix-sasl /etc/fail2ban/
/etc/fail2ban/jail.conf.dpkg-new:[postfix-sasl]
/etc/fail2ban/jail.conf:[postfix-sasl]

Tout cela me paraît correct.
Je suis en train de regarder les logs de fail2ban sur différents serveur. J’ai également des lignes x.x.x.x already banned plus ou moins nombreuses. D’ailleurs la même IP que celle de tes logs est présente :wink:

Ces lignes sont d’autant plus nombreuses que le temps de bannissement est faible. Je ne sais pas vraiment à quoi c’est dû.

Donc ces logs de fail2ban ne paraissent pas anormaux et n’ont rien d’inquiétant.

Ce qui est problématique c’est la répétition des lignes :

0     0 RETURN     all  --  any    any     anywhere 

dans iptables.

Idéalement il faudrait fusionner ce fil de discussion avec ton autre sujet : Précision logs iptables

Je te suggère d’arrêter fail2ban, de vider toutes tes règles iptables et de relancer fail2ban pour voir si le problème persiste.


EDIT : j’ai oublié de vérifier les ports et je vois :

smtp,465,submission,imap3,imaps,pop3,pop3s

Est-ce que ta machine est bien en écoute sur tous ces ports ? Sinon il faut adapter la configuration du jail, exemple sur un serveur où imap et pop3 ne sont pas actifs :
[postfix-sasl]
port = smtp,465,submission,imaps,pop3s

Les RETURN intempestifs ont disparu en relançant fail2ban et iptables. Merci pour ton aide Bruno

Par contre je découvre pop3s et imaps. Je ne trouve pas beaucoup de doc la dessus. Ca demande de changer les configurations MUA des utilisateurs ou il suffit de programmer le serveur ?