Many thanks!
I had this a few times myself. Luckily I could fix it using my mobile connection. And now I have a permanent IP address at home so I can whitelist that IP address for F2B.
I also use whitelisting because one of my clients within my LAN and connected to the internet by the same WAN-IP hammers against fail2ban. How can I identify, which client it is?
Sincerely, Marko
Hi Marko,
I think if you will enable “Allow bans on the LAN” for a while, you will identify the client’s IP.
BR,
Gabriel
Yes, but only the WAN-IP is logged. My question is, how can I identify the single one problem client behind the one-for-all WAN-IP.
When I installed for the first time F2B, I enabled also this option and if I remember well, the banned LAN IPs, were in the list with banned IPs from Unban section. But maybe I’m wrong.
Maybe @stephdl will tell us the right way to solve your problem.
If you use NethServer inside a LAN, no probem; not as Root server via external data center.
You are right!
In that time, my NS was installed also as a GW.
Sorry not sure to understand, all is logged to /var/log/fail2ban.log, maybe if he is behind a gateway you cannot determine what is the IP but if you can figure what is the jail that has banned you client you can check in the log of the relevant application what is the login of your users.
eg: if Sogo jail has banned your client you can check in the SOGo log what login is triggering the SOGo jail
So… time for a “Fail2Ban For Dummies” topic.
Where a sysadmin can evaluate, test and assess the “desired” Fail2Ban behavior, including some crash test procedures and some… (sort of) backdoor/unlock procedures creation and test.
A good way to find in log what have matched is fail2ban-regex
fail2ban-regex /path/2/log /etc/fail2ban/filter.d/myFilter.conf --print-all-matched
Yes, I use that. But I always get the WAN-IP.
I think I need an analysis strategy to find the single client in my LAN that triggers fail2ban.
Normally in the log of the application you should find what is the application, in the fail2ban log you should have only the wan IP indeed and the jail name. What is the jail name ?
mostly postfix/smtpd
Question about this arrangement: how many interfaces has this installation? 2?
open a new topic, this could be interesting
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf --print-all-matched
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched
this one is particular, you have to match it 100 times in 60secondes to be banned, it is a protection if you are sending too much email
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl-abuse.conf --print-all-matched
yes, my root server has one real WAN interface (RED) with the public IP and one LAN dummy interface (GEEN).
Good idea, I will create a thread within the how-to section.