<![CDATA[iRedMail — fail2ban banning cell phone clients]]> 2012-10-09T04:15:20Z PunBB http://www.iredmail.org/forum/topic3963-fail2ban-banning-cell-phone-clients.html <![CDATA[Re: fail2ban banning cell phone clients]]>

On 10/7/2012
The IP 184.78.62.159 has just been banned by Fail2Ban after 5 attempts against Postfix.

Works as expected.

Did you try resetting this user's password?

]]> http://www.iredmail.org/forum/user2.html 2012-10-09T04:15:20Z http://www.iredmail.org/forum/post18510.html#p18510 <![CDATA[Re: fail2ban banning cell phone clients]]> How can I search the log files to see why it is happening?

in /var/log/, does Fail2ban look in all logs?

On 10/7/2012
The IP 184.78.62.159 has just been banned by Fail2Ban after 5 attempts against Postfix.

nm2:/var/log# grep "184.78.62.159" * | grep "failed"

I have results from mail.info, mail.warn, mail.log and syslog1.


mail.info:Oct  7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct  7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct  7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct  7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct  7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct  7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct  7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct  7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct  7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct  7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct  7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct  7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct  7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct  7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct  7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct  7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct  7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

]]> http://www.iredmail.org/forum/user23240.html 2012-10-08T20:31:33Z http://www.iredmail.org/forum/post18504.html#p18504 <![CDATA[Re: fail2ban banning cell phone clients]]> Your log is not related to banned IP 69.246.221.84.

Fail2ban scan log files, if there're multiple password failures, it will ban client IP with iptables. This is how it works.

]]> http://www.iredmail.org/forum/user2.html 2012-10-07T12:30:45Z http://www.iredmail.org/forum/post18481.html#p18481 <![CDATA[Re: fail2ban banning cell phone clients]]> Could this be causing the problem?

In the /var/log/mail.info or /var/log/syslog

mail.info:Sep 30 11:10:00 nm2 postfix/smtpd[18221]: warning: hostname mobile-166-137-081-095.mycingular.net does not resolve to address 166.137.81.95: Name or service not known

mail.info:Sep 30 12:28:45 nm2 postfix/smtpd[20873]: warning: hostname static.kpn.net does not resolve to address 46.144.243.70: Name or service not known

mail.info:Sep 30 16:36:58 nm2 postfix/smtpd[30102]: warning: hostname 173-170-174-97.res.bhn.net does not resolve to address 173.170.174.97: Name or service not known

mail.info:Oct  1 03:39:15 nm2 postfix/smtpd[20559]: warning: hostname mobile-166-137-080-007.mycingular.net does not resolve to address 166.137.80.7: Name or service not known

]]> http://www.iredmail.org/forum/user23240.html 2012-10-04T19:32:07Z http://www.iredmail.org/forum/post18458.html#p18458 <![CDATA[Re: fail2ban banning cell phone clients]]> What log file should I be looking in?

Is it the dovecot-info.log file?

]]> http://www.iredmail.org/forum/user23240.html 2012-10-03T14:16:57Z http://www.iredmail.org/forum/post18442.html#p18442 <![CDATA[Re: fail2ban banning cell phone clients]]> Does this client get many password failure while performing SMTP auth/login?

]]> http://www.iredmail.org/forum/user2.html 2012-10-03T08:39:13Z http://www.iredmail.org/forum/post18430.html#p18430 <![CDATA[fail2ban banning cell phone clients]]> ==== Required information ====
- iRedMail version: 0.8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Linux/BSD distribution name and version: debian
- Related log if you're reporting an issue:
====

fail2ban is banning cell phone clients,

/var/log/fail2ban.log
2012-10-01 18:31:05,338 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 18:36:05,688 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 18:45:55,354 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 18:49:36,602 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 18:50:55,691 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:00:50,367 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:05:50,701 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:15:32,354 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:16:32,433 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 19:20:32,706 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:30:31,401 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:35:31,777 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:44:10,373 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:49:10,717 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:58:49,386 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:59:49,455 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 20:03:49,726 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84

Where can I look to see why this is getting banned?
the /var/log/fail2ban.log doesn't really give me any information
how to troubleshoot postfix-iredmail bans?

]]> http://www.iredmail.org/forum/user23240.html 2012-10-02T15:53:44Z http://www.iredmail.org/forum/post18421.html#p18421