I did setup an email server on my FreedomBox an now I am learning to understand how all the programs work. The goal is a secure email server. I am running the server behind a hardware firewall/router and with help I was able to do all the settings (Firewall and ISP). Now I’m curious about a log in /lib/systemd/system/fail2ban.service. There, since days, every few seconds, the same IP is doing something I don’t understand. Here’s the screenshot:
Does anybody have an idea? I did search and did try to find something. But it looks like I don’t understand enough…
David
Information
FreedomBox version: 24.20.1
Hardware: Pioneer FreedmonBox (Olimex Lime2)
Edit 1:
If I look up the log from dovecot I see the same IP trying to authenticate over and over again.
According to Whois this IP address belongs to “Emanuel Hosting Ltd.” in the UK. If this is the hosting provider you are using, maybe they do some kind of health checks on services that are running. Or did you set up some kind of monitoring that does active checks?
If it is always the exact same IP address and you’re worried, you can always use FB’s firewall to drop requests:
Thanks for your reply and the information! I use a netgate/pfsense plus Firewall and I’ve uploaded an enhancement pfBlockerNG. It manages IPv4/v6 List Sources into ‘Deny, Permit or Match’ formats.
GeoIP database by MaxMind Inc. (GeoLite2 Free version).
De-Duplication, Suppression, and Reputation enhancements.
Provision to download from diverse List formats.
Advanced Integration for Proofpoint ET IQRisk IP Reputation Threat Sources.
Domain Name (DNSBL) blocking via Unbound DNS Resolver.
I hope with this package/enhancement of my Firewall the attacks are getting less. I do not want to monitor my FreedomBox every few hours and block attacks manually.
So I would say, it still looks like “Fail2ban blocking postfix/dovecot login attempts has not been implemented yet.”. I guess it means one should use strong passwords i.e., randomly generated by your computer and stored in a password manager.
This certainly looks like some bot trying to login using a brute force try of well-known usernames. We have fail2ban configured on Dovecot login attempts to ban such clients. Looking at the logs above it is clear that fail2ban was able to parse the dovecot logs and recognize the failed login attempts.
We have set the maximum number of retries before ban to 30 instead of the usual 10. This is because some mail clients automatically try multiple times before asking the user to provide a new password. We didn’t want to accidentally ban a genuine user and cause confusion (as new connections can’t be made for 10 minutes). This does not significantly increase the success chances of a brute-force attempts if the password is reasonably good.
One can confirm all by looking at the current status of fail2ban:
fail2ban-client status # List the currently enforcing configuration for daemons (jails)
fail2ban-client banned # List currently banned IPs
fail2ban-client statistics # Show statistics on matched failures and actions taken
