Locked out of server

LayLow · April 14, 2021, 8:08am

Many thanks!

robb · April 14, 2021, 3:30pm

I had this a few times myself. Luckily I could fix it using my mobile connection. And now I have a permanent IP address at home so I can whitelist that IP address for F2B.

capote · April 17, 2021, 6:42pm

I also use whitelisting because one of my clients within my LAN and connected to the internet by the same WAN-IP hammers against fail2ban. How can I identify, which client it is?
Sincerely, Marko

GG_jr · April 17, 2021, 6:50pm

Hi Marko,

I think if you will enable “Allow bans on the LAN” for a while, you will identify the client’s IP.

BR,
Gabriel

capote · April 17, 2021, 6:51pm

Yes, but only the WAN-IP is logged. My question is, how can I identify the single one problem client behind the one-for-all WAN-IP.

GG_jr · April 17, 2021, 7:01pm

When I installed for the first time F2B, I enabled also this option and if I remember well, the banned LAN IPs, were in the list with banned IPs from Unban section. But maybe I’m wrong.

Maybe @stephdl will tell us the right way to solve your problem.

capote · April 17, 2021, 7:03pm

If you use NethServer inside a LAN, no probem; not as Root server via external data center.

GG_jr · April 17, 2021, 7:08pm

You are right!
In that time, my NS was installed also as a GW.

stephdl · April 17, 2021, 7:28pm

Sorry not sure to understand, all is logged to /var/log/fail2ban.log, maybe if he is behind a gateway you cannot determine what is the IP but if you can figure what is the jail that has banned you client you can check in the log of the relevant application what is the login of your users.

eg: if Sogo jail has banned your client you can check in the SOGo log what login is triggering the SOGo jail

pike · April 17, 2021, 8:30pm

So… time for a “Fail2Ban For Dummies” topic.
Where a sysadmin can evaluate, test and assess the “desired” Fail2Ban behavior, including some crash test procedures and some… (sort of) backdoor/unlock procedures creation and test.

stephdl · April 18, 2021, 7:09am

A good way to find in log what have matched is fail2ban-regex

fail2ban-regex /path/2/log /etc/fail2ban/filter.d/myFilter.conf --print-all-matched

stephdl · April 18, 2021, 12:55pm

3 posts were split to a new topic: Crowdsec the next fail2ban generation

capote · April 18, 2021, 9:48am

Yes, I use that. But I always get the WAN-IP.
I think I need an analysis strategy to find the single client in my LAN that triggers fail2ban.

stephdl · April 18, 2021, 12:54pm

Normally in the log of the application you should find what is the application, in the fail2ban log you should have only the wan IP indeed and the jail name. What is the jail name ?

capote · April 18, 2021, 8:03pm

mostly postfix/smtpd

pike · April 18, 2021, 8:23pm

Question about this arrangement: how many interfaces has this installation? 2?

stephdl · April 19, 2021, 6:42am

open a new topic, this could be interesting

 fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf --print-all-matched
 fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-ddos.conf --print-all-matched

this one is particular, you have to match it 100 times in 60secondes to be banned, it is a protection if you are sending too much email

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl-abuse.conf --print-all-matched

capote · April 19, 2021, 7:27am

yes, my root server has one real WAN interface (RED) with the public IP and one LAN dummy interface (GEEN).

capote · April 19, 2021, 7:28am

Good idea, I will create a thread within the how-to section.

capote · April 19, 2021, 9:42am

the new thread: How to analyze who triggers fail2ban