Art3mis asked:
As described in the title, I am running a dovecot/postfix/Rspamd Mailservercombo with a MariaDB behind it.
I noticed how, in the last days, I couldn’t receive/send any mail from my e-mail clients anymore. Thunderbird noticed too: It is not possible to connect with the SMTP Server anymore.
The only things I changed around this time are:
- I added a phpmyadmin access with additional linux user query from the apache2 Server and
- (on recommendation of a “friend”) installed fail2ban as an additional protection against bruteforce requests against the webservices. I left it on the default settings, only changed the bantime to 1 hr.
Since then I removed and purged fail2ban, sure it was the problem. It wasn’t. (?)
After reading the following output from syslog I traced it back to UFW:
UFW itself has following configuration:
# cat /etc/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
### tuple ### allow tcp 2222 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 2222 -j ACCEPT
### tuple ### allow tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -j ACCEPT
### tuple ### allow tcp 465 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 465 -j ACCEPT
### tuple ### allow tcp 587 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 587 -j ACCEPT
### tuple ### allow tcp 143 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 143 -j ACCEPT
### tuple ### allow tcp 993 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 993 -j ACCEPT
### tuple ### allow tcp 4190 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 4190 -j ACCEPT
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
As you can see on the last few entries, it seems to maybe be triggered by ufw-after-logging-input, ufw-after-logging-forward or ufw-logging-deny. However, this is where my ‘knowledge’ ends right now. The only thing I additionaly noticed was that the following line was marked red in the user.rules, but that could just be nothing…
I re-installed fail2ban to do this:
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 158
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 112.xxx.xxx.xxx
# fail2ban-client set sshd unbanip 112.xxx.xxx.xxx
112.xxx.xxx.xxx
# fail2ban-client status sshd
[...]
`- Banned IP list:
I searched through plenty of sites but couldn’t find any useful lead on how to solve this. It really seems to have come from one of the recent changes I made, although I can’t think of anything more than maybe a not deleted rule that may be still around after purging and removing fail2ban.
Some things I also tried in the process of fixing it:
– restarting and stop/starting UFW
– restarting apache2
– restarting dovecot
– looking on Rspamd for event entries on sent test-mails (none were received since the time around the changes I made!)
– using another mailclient
– adding an acceptance rule for Port 25 to UFW (did not change anything)
P.S.: This server is running Ubuntu.
Is there any way to get my setup back to a working state?
My answer:
The UFW config looks correct.
You probably managed to ban your own IP in fail2ban.
Use fail2ban-client status
to see which jails are enabled, then fail2ban-client status <jail>
to see if your IP address is listed. If you find your IP, you can unban it.
[[email protected] ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
[[email protected] ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 3
| |- Total failed: 762
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 13
|- Total banned: 86
`- Banned IP list: 121.136.181.58 212.224.124.98 65.94.147.197 176.159.245.52 68.32.77.29 112.17.128.44 220.81.48.50 104.210.60.66 104.211.60.207 104.211.46.110 212.64.98.92 59.144.137.186 90.3.202.234
[[email protected] ~]# fail2ban-client set sshd unbanip 203.0.113.187
203.0.113.187
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.