Legit email users getting caught in Fail2Ban traps

NethServer Version: 7.2009
Module: Fail2Ban

We’ve been having this issue for a bit intermittently, but as of recent it’s become more frequent and more annoying. We have approximately 80 users who seemingly randomly will get caught in Fail2Ban on mobile devices.

These users are using mobile email clients with “push” notifications enabled from the email client of choice. This is occurring on both cellular and wifi connections, causing us to have to flush our fail2ban every time a user gets blocked, which is obviously not ideal.

The users email client shouldn’t have the password incorrect as they are able to send and retrieve emails with no issues. So authentication failures shouldn’t be the root cause of this, and it’s very clearly something else causing the issue.

In the Nethserver interface, we already have a fail2ban settings as lax as we can make them with the following settings:

  • Incremental ban time
  • Logging level: Warning
  • Number of Attempts: 10
  • Timespan: 2 hours
  • Ban time: 1 day

This installation serves an emergency services agency, as such they need to be able to connect to email from all types of devices, and locations. So whitelisting ranges and other stuff isn’t really an option as far as geographically blocking stuff. Does anyone have any recommendations on what we can do to mitigate this issue?

@stephdl I know I’ve seen you fairly active on the subject of Fail2Ban here on the forums. I’m hoping you have some insight.

You need yo dive in fail2ban log to know which jail has banned then you could apply the fail2ban-regex on the relevant log with the relevant jail