Fail2ban: Server not reachable

capote · February 7, 2021, 9:19am

Hello, my router address was changed dynamically by my provider. Every time in such cases fail2ban blocks my server access completely (Cockpit, Mail, SSH). I can whitelist my new IP only by accessing the server from my cell phone.
How can I prevent such misbehavior?

Best regards, Marko

stephdl · February 7, 2021, 10:27am

vpn tunnel between your router and the remote server ???

stephdl · February 7, 2021, 10:27am

why fail2ban bans you ?

Check logs, I recall that the nextcloud client can do something like this

github.com/nextcloud/server

AH01630: client denied by server configuration: /var/www/nextcloud/config

opened 04:03PM - 20 Nov 18 UTC

closed 12:32PM - 16 Jul 21 UTC

lazyteddy

bug 1. to develop low

### How to use GitHub * Please use the 👍 [reaction](https://blog.github.com/2…016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to show that you are affected by the same issue. * Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue. * Subscribe to receive notifications on status change and new comments. ### Report  This is the first time I'm doing this, please be gentle ;-) The client is trying to access /var/www/nextcloud/config, which is explicitly denied all access via the .htaccess file in that particular directory. I noticed this because I also have fail2ban running on the server, and my own IP address kept getting locked out of apache. I noticed the following line in my error.log: `AH01630: client denied by server configuration: /var/www/nextcloud/config` ### Client configuration Client version: 2.5.0git Operating system: Ubuntu 18.04 with GNOME OS language: English Qt version used by client package (Linux only, see also Settings dialog): Client package (From Nextcloud or distro) (Linux only): Launchpad PPA Installation path of client: /usr/bin/nextcloud ### Server configuration  Operating system: Web server: Apache Database: MySQL 5.7.24 PHP version: 7.0.32 Nextcloud version: 14.03 Storage backend (external storage): ### Logs Please use Gist (https://gist.github.com/) or a similar code paster for longer logs. ```Template for output < 10 lines``` 1. Client logfile: Output of `nextcloud --logwindow` or `nextcloud --logfile log.txt` (On Windows using `cmd.exe`, you might need to first `cd` into the Nextcloud directory) (See also https://docs.nextcloud.com/desktop/2.3/troubleshooting.html#log-files) 2. Web server error log: 3. Server logfile: nextcloud log (data/nextcloud.log):

pike · February 7, 2021, 1:20pm

Static public IP Address?

Andy_Wismer · February 7, 2021, 1:39pm

@capote

Hello Marko

I was wondering if it’s HOW you access your network.
I use DynDNS at home, and my iPhone and Macbook use Nextcloud… No issues due to Fail2ban…

My 2 cents
Andy

capote · February 7, 2021, 4:18pm

Access via VPN is also blocked, because the IP is totally blocked.

capote · February 7, 2021, 4:24pm

This is not possible with my provider for private access tariffs. Such exist only for business plans, very expensive.

stephdl · February 7, 2021, 4:29pm

Same at my house, only dynamic IP, could you please search why you are blocked, It is really rare that fail2ban blocks for a bad reason, please check log.

Alternatively I use the incremental ban time with a short time (One minute), if you make a mistake you have just to wait a short time, if you are an attacker, the time is X2 after each bad attempt.

Nevertheless, check fail2ban log and add a regex rule to not catch your application like I did for nextcloud if it is the case

capote · February 7, 2021, 4:51pm

I have tried but am unsure which log file and how to interpret the results


[root@ns-srv01 log]# cat fail2ban.log | grep 93.###.##.##

2021-02-07 06:58:26,877 fail2ban.filter 2021-02-07 07:08:26,839 fail2ban.filter 2021-02-07 07:13:26,831 fail2ban.filter 2021-02-07 07:13:26,984 fail2ban.actions 2021-02-07 07:13:27,168 fail2ban.filter 2021-02-07 07:43:28,617 fail2ban.actions 2021-02-07 07:48:26,844 fail2ban.filter 2021-02-07 08:08:27,053 fail2ban.filter 2021-02-07 08:18:26,865 fail2ban.filter 2021-02-07 08:23:26,841 fail2ban.filter 2021-02-07 08:23:27,021 fail2ban.actions 2021-02-07 08:23:27,119 fail2ban.filter 2021-02-07 08:23:27,836 fail2ban.actions 2021-02-07 08:53:28,667 fail2ban.actions 2021-02-07 10:02:27,617 fail2ban.actions 2021-02-07 10:03:59,755 fail2ban.filter 2021-02-07 10:04:01,221 fail2ban.actions 2021-02-07 10:12:54,779 fail2ban.actions 2021-02-07 10:13:20,486 fail2ban.filter 2021-02-07 10:26:26,614 fail2ban.filter 2021-02-07 10:28:26,869 fail2ban.filter 2021-02-07 10:38:26,850 fail2ban.filter 2021-02-07 10:43:26,990 fail2ban.filter 2021-02-07 10:48:26,401 fail2ban.filter 2021-02-07 11:08:26,892 fail2ban.filter 2021-02-07 11:18:22,982 fail2ban.filter 2021-02-07 11:18:26,843 fail2ban.filter 2021-02-07 11:19:25,783 fail2ban.filter 2021-02-07 11:38:26,935 fail2ban.filter [3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 06:58:26
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 07:08:26
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 07:13:26
[3961]: NOTICE [postfix] Ban 93.###.##.##
[3961]: INFO [recidive] Found 93.###.##.## - 2021-02-07 07:13:26
[3961]: NOTICE [postfix] Unban 93.###.##.##
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 07:48:26
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 08:08:27
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 08:18:26
[3961]: INFO [postfix] Found 93.###.##.## - 2021-02-07 08:23:26
[3961]: NOTICE [postfix] Ban 93.###.##.##
[3961]: INFO [recidive] Found 93.###.##.## - 2021-02-07 08:23:27
[3961]: NOTICE [recidive] Ban 93.###.##.##
[3961]: NOTICE [postfix] Unban 93.###.##.##
[3961]: NOTICE [recidive] Unban 93.###.##.##
[3997]: INFO [apache-auth] Found 93.###.##.## - 2021-02-07 10:03:45
[3997]: NOTICE [recidive] Restore Ban 93.###.##.##
[3997]: NOTICE [recidive] Unban 93.###.##.##
[3997]: INFO [apache-auth] Found 93.###.##.## - 2021-02-07 10:13:20
[11902]: INFO [postfix-sasl-abuse] Ignore 93.###.##.## by ip
[11902]: INFO [postfix] Ignore 93.###.##.## by ip
[11902]: INFO [postfix] Ignore 93.###.##.## by ip
[11902]: INFO [postfix] Ignore 93.###.##.## by ip
[11902]: INFO [postfix] Ignore 93.###.##.## by ip
[11902]: INFO [postfix] Ignore 93.###.##.## by ip
[3996]: INFO [postfix-sasl-abuse] Ignore 93.###.##.## by ip
[3996]: INFO [postfix] Ignore 93.###.##.## by ip
[3996]: INFO [apache-auth] Ignore 93.###.##.## by ip
[3996]: INFO [postfix] Ignore 93.###.##.## by ip


[root@ns-srv01 log]# cat maillog | grep 93.###.##.##

Feb 7 06:58:26 ns-srv01 postfix/smtpd[10161]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 06:58:26 ns-srv01 postfix/smtpd[10161]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 06:58:26 ns-srv01 postfix/smtpd[10161]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 06:58:26 ns-srv01 rspamd[2749]: ; milter; rspamd_milter_process_command: got connection from 93.###.##.##:40278 Feb 7 07:08:26 ns-srv01 postfix/smtpd[13269]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:08:26 ns-srv01 postfix/smtpd[13269]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 07:08:26 ns-srv01 postfix/smtpd[13269]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:08:26 ns-srv01 rspamd[2749]: <61cde8>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:40834 Feb 7 07:13:22 ns-srv01 postfix/anvil[13271]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb 7 07:08:26 Feb 7 07:13:22 ns-srv01 postfix/anvil[13271]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb 7 07:08:26 Feb 7 07:13:26 ns-srv01 postfix/smtpd[14323]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:13:26 ns-srv01 postfix/smtpd[14323]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 07:13:26 ns-srv01 postfix/smtpd[14323]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:13:26 ns-srv01 rspamd[2749]: ; milter; rspamd_milter_process_command: got connection from 93.###.##.##:41086 Feb 7 07:23:22 ns-srv01 postfix/anvil[14325]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb 7 07:13:26 Feb 7 07:23:22 ns-srv01 postfix/anvil[14325]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb 7 07:13:26 Feb 7 07:48:26 ns-srv01 postfix/smtpd[22126]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:48:26 ns-srv01 postfix/smtpd[22126]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 07:48:26 ns-srv01 postfix/smtpd[22126]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 07:48:26 ns-srv01 rspamd[2749]: <38c371>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:42966 Feb 7 07:53:22 ns-srv01 postfix/anvil[22128]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb 7 07:48:26 Feb 7 07:53:22 ns-srv01 postfix/anvil[22128]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb 7 07:48:26 Feb 7 08:08:26 ns-srv01 postfix/smtpd[26107]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:08:27 ns-srv01 postfix/smtpd[26107]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 08:08:27 ns-srv01 postfix/smtpd[26107]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:08:27 ns-srv01 rspamd[2749]: <633a17>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:44452 Feb 7 08:18:26 ns-srv01 postfix/smtpd[29598]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:18:26 ns-srv01 postfix/smtpd[29598]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 08:18:26 ns-srv01 postfix/smtpd[29598]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:18:26 ns-srv01 rspamd[2749]: <90a87b>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:45148 Feb 7 08:23:26 ns-srv01 postfix/smtpd[30750]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:23:26 ns-srv01 postfix/smtpd[30750]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MY-DOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> Feb 7 08:23:26 ns-srv01 postfix/smtpd[30750]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 08:23:26 ns-srv01 rspamd[2749]: <09fab6>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:45524 Feb 7 08:28:22 ns-srv01 postfix/anvil[29600]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb 7 08:18:26 Feb 7 08:28:22 ns-srv01 postfix/anvil[29600]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb 7 08:18:26 Feb 7 10:26:26 ns-srv01 postfix/smtpd[16544]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 10:26:26 ns-srv01 postfix/smtpd[16544]: 86ADB805CD20: client=[MY-ID].dip0.t-ipconnect.de[93.###.##.##], sasl_method=PLAIN, sasl_username=marko@[MY-DOMAIN].de Feb 7 10:26:26 ns-srv01 rspamd[2759]: <3a5a04>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:53405 Feb 7 10:26:27 ns-srv01 rspamd[2759]: <3a5a04>; proxy; rspamd_task_write_log: id: <5BBE2462-29A7-4DA3-A81E-CEF15A0E806A@[MY-DOMAIN].de>, qid: <86ADB805CD20>, ip: 93.###.##.##, user: marko@[MY-DOMAIN].de, from: <marko@[MY-DOMAIN].de>, (default: F (no action): [-3.69/20.00] [BAYES_HAM(-2.99){99.99%;},SIGNED_PGP(-2.00){},URL_IN_SUBJECT(1.00){nextcloud.[MY-DOMAIN].de;},MV_CASE(0.50){},MIME_GOOD(-0.20){multipart/signed;multipart/alternative;text/plain;multipart/related;},ASN(0.00){asn:3320, ipnet:93.192.0.0/10, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:~;5:~;6:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 244817, time: 882.743ms, dns req: 16, digest: <9a66e0feae79754f53efe5ef53d59d38>, rcpts: name@anybody.de, mime_rcpts: name@anybody.de, settings_id: authenticated Feb 7 10:27:27 ns-srv01 postfix/smtpd[16544]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##] Feb 7 10:28:26 ns-srv01 postfix/smtpd[17144]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]


[root@ns-srv01 httpd]# cat access_log | grep 93.###.##.##

93.###.##.## - - [07/Feb/2021:07:51:54 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:54 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 486 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:56 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:56 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:56 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/ HTTP/1.1” 207 527 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “MKCOL /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 405 247 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “MKCOL /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/ HTTP/1.1” 405 247 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/ HTTP/1.1” 207 269 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “MKCOL /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/ HTTP/1.1” 405 247 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/ HTTP/1.1” 207 274 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “MKCOL /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/###.##.##1.receipt/ HTTP/1.1” 201 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PUT /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/###.##.##1.receipt/###.##.##.item HTTP/1.1” 201 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PUT /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##.manifest HTTP/1.1” 201 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##.manifest HTTP/1.1” 200 5264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/ HTTP/1.1” 207 544 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:57 +0100] “PUT /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##.manifest HTTP/1.1” 201 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:58 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##.manifest HTTP/1.1” 200 30016 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:58 +0100] “DELETE /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##.manifest HTTP/1.1” 204 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:58 +0100] “DELETE /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/###.##.##1.manifest HTTP/1.1” 204 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:58 +0100] “DELETE /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/###.##.##.receipt/###.##.##.item HTTP/1.1” 204 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:58 +0100] “DELETE /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/receipts/###.##.##.receipt/ HTTP/1.1” 204 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:59 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:59 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:59 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:51:59 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 530 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:52:00 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:52:00 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:52:00 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:52:00 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 531 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:52:10 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 271 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:52:15 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 260 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:52:15 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 976 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:52:42 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 271 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:53:15 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 260 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:53:45 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 260 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:53:46 +0100] “GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1” 304 - “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:53:46 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 271 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:07:53:52 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:52 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:52 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/8b87930a127f66f6bd16bea8c6f45d186799e12ef7f8362a7bd49423cebb9a9d/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:53 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/8b87930a127f66f6bd16bea8c6f45d186799e12ef7f8362a7bd49423cebb9a9d/ HTTP/1.1” 207 440 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:53 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:53 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:54 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/b3b7807efcaeb46e489aa32b1dae101014c4bca933dd1df67703c8ca1a94af19/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:54 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/b3b7807efcaeb46e489aa32b1dae101014c4bca933dd1df67703c8ca1a94af19/ HTTP/1.1” 207 530 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:54 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:54 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:55 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:55 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 486 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:58 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:58 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:59 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:59 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/inbox/ HTTP/1.1” 207 528 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:53:59 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:54:00 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:54:00 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:54:00 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 530 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:07:54:01 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:17 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 530 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:19 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:19 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 207 264 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:19 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:20 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 531 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:08:22:45 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 261 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:08:22:45 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 976 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:08:23:06 +0100] “PROPFIND /remote.php/dav/files/###.##.##/ HTTP/1.1” 207 271 “-” “Mozilla/5.0 (Macintosh) mirall/3.1.1git (build 4316) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:10:03:25 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/ HTTP/1.1” 500 - “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:10:03:26 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 500 289 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:10:03:28 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 401 557 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:10:03:31 +0100] “GET /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/master.plist HTTP/1.1” 200 224 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:10:03:34 +0100] “PROPFIND /remote.php/dav/files/###.##.##/DTPOP/DTPOP.dtCloud/###.##.##/ HTTP/1.1” 207 530 “-” “DEVONcloudy 1.15.1” 93.###.##.## - - [07/Feb/2021:10:03:43 +0100] “GET /status.php HTTP/1.1” 200 170 “-” “Mozilla/5.0 (Macintosh) mirall/3.0.3git (build 3799) (Nextcloud)” 93.###.##.## - - [07/Feb/2021:10:03:44 +0100] “PROPFIND /remote.php/webdav/ HTTP/1.1” 207 378 “-” “Mozilla/5.0 (Macintosh) mirall/3.0.3git (build 3799) (Nextcloud)”

related to the nexcloud problem
[root@ns-srv01 httpd]# cat error_log | grep 93.###.##.## [Sat Feb 06 23:07:42.094583 2021] [access_compat:error] [pid 594] [client 93.###.##.##:49566] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 03:37:46.984040 2021] [access_compat:error] [pid 3971] [client 93.###.##.##:37380] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 05:18:34.372213 2021] [access_compat:error] [pid 3972] [client 93.###.##.##:41920] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 10:03:45.969736 2021] [access_compat:error] [pid 3139] [client 93.###.##.##:60442] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 10:13:20.418623 2021] [access_compat:error] [pid 2309] [client 93.###.##.##:33444] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 11:19:25.782372 2021] [access_compat:error] [pid 4672] [client 93.###.##.##:42802] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 15:56:38.816203 2021] [access_compat:error] [pid 4089] [client 93.###.##.##:46690] AH01797: client denied by server configuration: /usr/share/nextcloud/config [Sun Feb 07 16:12:15.318089 2021] [access_compat:error] [pid 4522] [client 93.###.##.##:48918] AH01797: client denied by server configuration: /usr/share/nextcloud/config

I’m not sure how to deal with

capote · February 7, 2021, 5:23pm

Do you mean this?

I created a filter.local to avoid to be banned by fail2ban, it will survive to a fail2ban rpm update, but it is just a fix
[root@prometheus ~]# cat /etc/fail2ban/filter.d/apache-auth.local 
# Fail2Ban apache-auth filter


[Definition]
#
ignoreregex = /usr/share/nextcloud/config$ 

capote · February 7, 2021, 5:35pm

Hi Andy,
I practice the same as with our jointly administered server. You know what I mean…

Sincerely, Marko

Andy_Wismer · February 7, 2021, 5:37pm

Hi

I don’t quite recall having “.lan.local” in the network settings anywhere…

And I see something like that in the logs above…

My 2 cents
Andy

stephdl · February 7, 2021, 5:47pm

https://docs.nethserver.org/en/latest/fail2ban.html#command-line-tools, take in to account fail2ban-regex

I would like to try

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf --print-all-matched
 fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched

stephdl · February 7, 2021, 5:49pm

exactly, here the regex would go to /etc/fail2ban/filter.d/postfix.local

stephdl · February 7, 2021, 5:51pm

the filter that grep a bad line in maillog is postfix, search against that filter

capote · February 7, 2021, 6:29pm

Thank you for the tipp:


[root@ns-srv01 filter.d]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf --print-all-matched

|- Matched line(s): | Feb 7 06:58:26 ns-srv01 postfix/smtpd[10161]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 07:08:26 ns-srv01 postfix/smtpd[13269]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 07:13:26 ns-srv01 postfix/smtpd[14323]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 07:48:26 ns-srv01 postfix/smtpd[22126]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 08:08:27 ns-srv01 postfix/smtpd[26107]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 08:18:26 ns-srv01 postfix/smtpd[29598]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 08:23:26 ns-srv01 postfix/smtpd[30750]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 08:53:07 ns-srv01 postfix/smtpd[3305]: NOQUEUE: reject: RCPT from sf129.send-now.net[107.170.255.26]: 550 5.1.1 <nldriavjbd78305@[MYDOMAIN].de>: Recipient address rejected: undeliverable address: host ns-srv01.[MYDOMAIN].de[/var/run/dovecot/lmtp] said: 550 5.1.1 <nldriavjbd78305@[MYDOMAIN].de> User doesn’t exist: nldriavjbd78305@[MYDOMAIN].de (in reply to RCPT TO command); from=information@send-now.net to=<nldriavjbd78305@[MYDOMAIN].de> proto=SMTP helo=<sf129.send-now.net> | Feb 7 10:28:26 ns-srv01 postfix/smtpd[17144]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home> | Feb 7 10:38:26 ns-srv01 postfix/smtpd[19276]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 root@lan.home: Sender address rejected: Domain not found; from=root@lan.home to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home>

from…
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched

…all the same

  Feb  7 08:40:02 ns-srv01 postfix/smtpd[1187]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:44:35 ns-srv01 postfix/smtpd[2209]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:45:02 ns-srv01 postfix/smtpd[2300]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:49:35 ns-srv01 postfix/smtpd[3204]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:50:02 ns-srv01 postfix/smtpd[3305]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:54:35 ns-srv01 postfix/smtpd[4308]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:55:02 ns-srv01 postfix/smtpd[4371]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]
|  Feb  7 08:59:35 ns-srv01 postfix/smtpd[4965]: lost connection after CONNECT from engine25.uptimerobot.com[63.143.42.250]

capote · February 7, 2021, 6:36pm

does it help?

[root@ns-srv01 log]# cat maillog | grep 07:13
Feb  7 07:13:22 ns-srv01 postfix/anvil[13271]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb  7 07:08:26
Feb  7 07:13:22 ns-srv01 postfix/anvil[13271]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb  7 07:08:26
Feb  7 07:13:22 ns-srv01 postfix/anvil[13271]: statistics: max cache size 1 at Feb  7 07:08:26
Feb  7 07:13:26 ns-srv01 postfix/smtpd[14323]: connect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]
Feb  7 07:13:26 ns-srv01 rspamd[2749]: <ac7cea>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Feb  7 07:13:26 ns-srv01 postfix/smtpd[14323]: NOQUEUE: reject: RCPT from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]: 450 4.1.8 <root@lan.home>: Sender address rejected: Domain not found; from=<root@lan.home> to=<admin@[MYDOMAIN].de> proto=ESMTP helo=<nethserver.lan.home>
Feb  7 07:13:26 ns-srv01 postfix/smtpd[14323]: disconnect from [MY-ID].dip0.t-ipconnect.de[93.###.##.##]
Feb  7 07:13:26 ns-srv01 rspamd[2749]: <ac7cea>; milter; rspamd_milter_process_command: got connection from 93.###.##.##:41086
Feb  7 07:13:26 ns-srv01 rspamd[2749]: <ac7cea>; proxy; proxy_milter_finish_handler: finished milter connection
Feb  7 07:13:27 ns-srv01 rspamd[2753]: <id8dcm>; lua; bayes_expiry.lua:440: finished expiry step 48: 996 items checked, 214 significant (4 made persistent), 0 insignificant (0 ttls set), 1 common (0 discriminated), 781 infrequent (0 ttls set), 20 mean, 47 std
Feb  7 07:23:22 ns-srv01 postfix/anvil[14325]: statistics: max connection rate 1/60s for (smtp:93.###.##.##) at Feb  7 07:13:26
Feb  7 07:23:22 ns-srv01 postfix/anvil[14325]: statistics: max connection count 1 for (smtp:93.###.##.##) at Feb  7 07:13:26
Feb  7 07:23:22 ns-srv01 postfix/anvil[14325]: statistics: max cache size 1 at Feb  7 07:13:26
[root@ns-srv01 log]#

capote · February 7, 2021, 6:44pm

I did it and restarted the fail2ban service.

Should I remove the whitelisted IP for testing purposes?

stephdl · February 7, 2021, 6:53pm

Fix the application which tries to send an email with root@home.lan it simply does not exist in ldap

Root exists locally
Root@… Is wrong

Moreover why a local application tries to use your remote server smtp to send an email to admin.

The problem is not postfix or fail2ban I guess

capote · February 7, 2021, 7:11pm

You have put me on the right track!
It was a wrong configuration in Cockpit–>System–>Settings–> Email notifications

Now I have corrected it and the test mail was sent successfully.

Many Thanks! Marko