iRedMail — fail2ban banning cell phone clients

Re: fail2ban banning cell phone clients

null@example.com (ZhangHuangbin) — Tue, 09 Oct 2012 04:15:20 +0000

On 10/7/2012
The IP 184.78.62.159 has just been banned by Fail2Ban after 5 attempts against Postfix.

Works as expected.

Did you try resetting this user's password?

Re: fail2ban banning cell phone clients

null@example.com (darth_wells) — Mon, 08 Oct 2012 20:31:33 +0000

How can I search the log files to see why it is happening?

in /var/log/, does Fail2ban look in all logs?

On 10/7/2012
The IP 184.78.62.159 has just been banned by Fail2Ban after 5 attempts against Postfix.

nm2:/var/log# grep "184.78.62.159" * | grep "failed"

I have results from mail.info, mail.warn, mail.log and syslog1.

mail.info:Oct 7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct 7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct 7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.info:Oct 7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.info:Oct 7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct 7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct 7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.log:Oct 7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.log:Oct 7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct 7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct 7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mail.warn:Oct 7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
mail.warn:Oct 7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:00 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct 7 10:34:06 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:16 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:18 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:21 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:23 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:34 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:34:40 nm2 postfix/smtpd[1160]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:36:44 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct 7 10:36:50 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:37:01 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:37:07 nm2 postfix/smtpd[1300]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
syslog.1:Oct 7 10:39:08 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL PLAIN authentication failed:
syslog.1:Oct 7 10:39:14 nm2 postfix/smtpd[1379]: warning: unknown[184.78.62.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Re: fail2ban banning cell phone clients

null@example.com (ZhangHuangbin) — Sun, 07 Oct 2012 12:30:45 +0000

Your log is not related to banned IP 69.246.221.84.

Fail2ban scan log files, if there're multiple password failures, it will ban client IP with iptables. This is how it works.

Re: fail2ban banning cell phone clients

null@example.com (darth_wells) — Thu, 04 Oct 2012 19:32:07 +0000

Could this be causing the problem?

In the /var/log/mail.info or /var/log/syslog

mail.info:Sep 30 11:10:00 nm2 postfix/smtpd[18221]: warning: hostname mobile-166-137-081-095.mycingular.net does not resolve to address 166.137.81.95: Name or service not known

mail.info:Sep 30 12:28:45 nm2 postfix/smtpd[20873]: warning: hostname static.kpn.net does not resolve to address 46.144.243.70: Name or service not known

mail.info:Sep 30 16:36:58 nm2 postfix/smtpd[30102]: warning: hostname 173-170-174-97.res.bhn.net does not resolve to address 173.170.174.97: Name or service not known

mail.info:Oct 1 03:39:15 nm2 postfix/smtpd[20559]: warning: hostname mobile-166-137-080-007.mycingular.net does not resolve to address 166.137.80.7: Name or service not known

Re: fail2ban banning cell phone clients

null@example.com (darth_wells) — Wed, 03 Oct 2012 14:16:57 +0000

What log file should I be looking in?

Is it the dovecot-info.log file?

Re: fail2ban banning cell phone clients

null@example.com (ZhangHuangbin) — Wed, 03 Oct 2012 08:39:13 +0000

Does this client get many password failure while performing SMTP auth/login?

fail2ban banning cell phone clients

null@example.com (darth_wells) — Tue, 02 Oct 2012 15:53:44 +0000

==== Required information ====
- iRedMail version: 0.8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Linux/BSD distribution name and version: debian
- Related log if you're reporting an issue:
====

fail2ban is banning cell phone clients,

/var/log/fail2ban.log
2012-10-01 18:31:05,338 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 18:36:05,688 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 18:45:55,354 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 18:49:36,602 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 18:50:55,691 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:00:50,367 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:05:50,701 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:15:32,354 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:16:32,433 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 19:20:32,706 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:30:31,401 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:35:31,777 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:44:10,373 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:49:10,717 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84
2012-10-01 19:58:49,386 fail2ban.actions: WARNING [postfix-iredmail] Ban 69.246.221.84
2012-10-01 19:59:49,455 fail2ban.actions: WARNING [postfix-iredmail] 69.246.221.84 already banned
2012-10-01 20:03:49,726 fail2ban.actions: WARNING [postfix-iredmail] Unban 69.246.221.84

Where can I look to see why this is getting banned?
the /var/log/fail2ban.log doesn't really give me any information
how to troubleshoot postfix-iredmail bans?