Fail2Ban bans, iptables lists the block but connection is still not blocked

Deckard

6/30/24, 9:58 AM

I am using Ubuntu 22.04 LTS and I am trying to prevent repeated connection attempts to our mail server using fail2ban. Fail2ban creates a proper entry in the iptables configuration, but the related IP address(es) can still connect.

When I look at the iptables configuration, it looks fine.

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-postfix-sasl  tcp  --  anywhere             anywhere             multiport dports smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination
REJECT     all  --  80.94.95.184         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  141.98.10.150        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

But checking /var/log/mail.log I can see these IP addresses still are able to connect. So fail2ban log looks like:

2023-06-30 09:47:54,108 fail2ban.actions        [4183541]: NOTICE  [postfix-sasl] Ban 80.94.95.184
2023-06-30 09:48:02,011 fail2ban.filter         [4183541]: INFO    [postfix-sasl] Found 141.98.10.150 - 2023-06-30 09:48:02
2023-06-30 09:48:02,128 fail2ban.actions        [4183541]: WARNING [postfix-sasl] 141.98.10.150 already banned
2023-06-30 09:48:52,314 fail2ban.filter         [4183541]: INFO    [postfix-sasl] Found 141.98.10.150 - 2023-06-30 09:48:52
2023-06-30 09:49:40,343 fail2ban.filter         [4183541]: INFO    [postfix-sasl] Found 141.98.10.150 - 2023-06-30 09:49:40
2023-06-30 09:50:31,453 fail2ban.filter         [4183541]: INFO    [postfix-sasl] Found 141.98.10.150 - 2023-06-30 09:50:31
2023-06-30 09:50:31,511 fail2ban.actions        [4183541]: WARNING [postfix-sasl] 141.98.10.150 already banned

As you can see, it keeps trying to ban the IP because for some reason the IP address can still connect to my machine.

Any advice would be greatly appreciated.

109

1 + 1

iptables

mail

fail2ban

Doug Smythies

6/30/24, 3:45 PM

Please show us the output for `sudo iptables -xvnL`, so that we can observe the packet counters and actual ports. Could you also show us the related `/var/log/mail.log` entries.

Score:0

Ubuntu

sebres

7/10/24, 5:06 PM

See answer to 2nd QA from this FAQ in fail2ban::wiki...
I guess a missing or wrong port (in your case the jail banning smtp port only). Check the ports postfix is listening (think about SSL, so besides port 25 there can be 587, 465, etc). Also note that theroreticaly some IMAP/POP3 servers can use authorization service of postfix, so in that case you'd need to add also 110, 993 and 995 (or maybe more, so check the ports by yourselves).

+ 1

raj

7/10/24, 6:10 PM

IMAP/POP3 servers cannot use "authorization service of postfix", because Postfix provides none. Postfix itself relies on authentication services provided by other software - and that other software is usually POP3/IMAP server, so it works the other way.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Fail2Ban bans, iptables lists the block but connection is still not blocked

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.