Regarding this thread we should try collect know how to analyze which client triggers fail2ban.
In my mind that summarize know how about:
- Some reproducible strategies to find the root causes of bans
- most common commands for analysis of the relevant log files
- prevention against the most common scenarios to lock yourself out.
I will progressively consolidate the answers here in the first posting.
Use Case #1
root server within an external data center
2 network interfaces with WAN-IP (RED) and dummy LAN-IP (Green)
installed IPS, Thread Shield
own LAN with more than 30 clients behind a DSL router with dynamically changed IP address they use Nethsever for…
- authentication for some Nethserver provided applications like FileServer, DokuWiki, NextCloud, Webmail, Wordpress, VPN (Road Warrior)
2. fail2ban configuration
static ban time
Number of attempts: 3
time span: 10 Minutes
ban time: 15 Minutes
3. fai2ban behavior
- fail2ban bans my own LAN because one of my clients hammers against fail2ban. That’s why analysis and administration is totaly blocked
- Assumption 1: Typo within mail client logon data
- Assumption 2: user changed his own password via cockpit and the credentials within mail clients become invalid
4. work around:
- connect administrator client via mobile phone to internet to access to the root server
- whitelisting the WAN IP of the DSL-Router (unfortunately each time if DSL-Router changes his IP-address)
- preventive renewal of the mail login data for all clients, as it was not possible to identify the triggering client quickly
5. Analysis Procedure:
- Identify banned IP and whitelist and unblock it if it is identical to your own WAN IP
- Determination of the applicable jail / service and trigger time
- Determination of the applicable local client
6. Analysis commands:
6.1 Analysis of triggerd jails
# cat /var/log/fail2ban.log | grep "Ban my.dynamic.wan.ip"
6.1 Analysis of current postfix/smtpd jail
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf --print-all-matched # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched
6.2 Analysis of earlier postfix/smtpd jail
# fail2ban-regex /var/log/maillog-yyyymmdd /etc/fail2ban/filter.d/postfix.conf --print-all-matched # fail2ban-regex /var/log/maillog-yyyymmdd /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched
Matrix of log files corresponding to jails
| Jail | Logs | | apache-auth | /var/log/httpd/*error_log | | apache-badbots | /var/log/httpd/access_log | | apache-botsearch | /var/log/httpd/*error_log | | apache-fakegooglebot | /var/log/httpd/access_log | | apache-modsecurity | /var/log/httpd/*error_log | | apache-nohome | /var/log/httpd/*error_log | | apache-noscript | /var/log/httpd/*error_log | | apache-overflows | /var/log/httpd/*error_log | | apache-scan | /var/log/httpd/*error_log. | | apache-shellshock | /var/log/httpd/*error_log | | dovecot | /var/log/imap | | dovecot-nethserver | /var/log/imap | | ejabberd-auth | /var/log/ejabberd/ejabberd.log| | httpd-admin |/var/log/httpd-admin/access_log| | mysqld-auth | /var/log/mariadb/mariadb.log | | nextcloud-auth |/var/lib/nethserver/nextcloud/nextcloud.log | | openvpn | /var/log/openvpn/openvpn.log | | pam-generic | /var/log/secure | | pam-generic-nethserver | /var/log/secure | | phpmyadmin | /var/log/httpd/access_log | | postfix | /var/log/maillog | | postfix/smtp | /var/log/maillog | | postfix-ddos | /var/log/maillog | | postfix-sasl-abuse | /var/log/maillog | | recidive | /var/log/fail2ban.log | | rspamd |/var/log/httpd-admin/access_log| | sieve | %(dovecot_log)s | | sogo-auth | /var/log/sogo/sogo.log | | sshd | %(sshd_log)s | | vsftpd | /var/log/vsftpd.log | | webtop |/var/log/webtop/webtop_auth.log|
Please correct and add with your suggestions.