1

Topic: Whitelisting in Fail2ban for dynamic IP

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hallo,

We are using iRedMail as our school-mail-server. We've discovered a problem. In our school we've got an internet connection via DSL and every 24 hours we get another IP (dynamic IP). We've got 800 pupils and 80 teachers and other staff so it happens quite often that someone tries wrong password which leads us to the problem that for the whole school the mail server isn't reachable.

Is there a way to whitelist the (dynamic) IP in fail2ban?

Thanks in advance!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Whitelisting in Fail2ban for dynamic IP

If all dynamic IPs are in the same network, you can whitelist this network in Fail2ban, config file /etc/fail2ban/jail.local (warning: not jail.conf). For example:

[DEFAULT]
...
ignoreip = ... 192.168.1.0/24

3

Re: Whitelisting in Fail2ban for dynamic IP

Unfortunately they are not part of the same network.

4

Re: Whitelisting in Fail2ban for dynamic IP

Is there maybe a way to send the actual ip to the server and to whitelist it until the school gets a new IP?

5

Re: Whitelisting in Fail2ban for dynamic IP

To whitelist in Fail2ban, just update jail.local and list IP addresses in 'ignoreip ='.

6

Re: Whitelisting in Fail2ban for dynamic IP

Is it as well possible to ignore an ip range? For example 192.168.*.*

7

Re: Whitelisting in Fail2ban for dynamic IP

You can use IP network like 192.168.0.0/24.

8 (edited by alex42 2016-01-26 18:52:52)

Re: Whitelisting in Fail2ban for dynamic IP

I've wrote a litte script to automatically add the dynamic IP of our school to the whitelist.
One of our computers in school is checking the dynamic IP every five minutes and writing this to a file:

dig +short myip.opendns.com @resolver1.opendns.com > /path/to/file/wanip.txt

I'm syncing this file via rsync over ssh to the server, which then executes this script:

#!/bin/bash
IPn=`cat /path/to/file/wanip.txt`
IPo=`cat /path/to/file/wanip_old.txt`
IPfix="127.0.0.1\ 127.0.0.0\/8\ 10.0.0.0\/8\ 172.16.0.0\/12\ 192.168.0.0\/16\ 176.28.21.39\/24\ "
CONFIG_FILE=/path/to/file/jail.local


if [ "$IPn" != "$IPo" ]
then
sed -i "s/\(ignoreip *= *\).*/\1$IPfix$IPn/" $CONFIG_FILE
echo $IPn > /path/to/file/wanip_old.txt
service fail2ban restart
echo "Neue IP gewhitelisted: $IPn Fai2ban neu gestartet" | mail -s "[Fail2ban] IP Whitelisting" postmaster@example.com
fi

Do I have to unban the IP as well (when it has been banned before? Or is it sufficient to set it as ignore-ip?

9

Re: Whitelisting in Fail2ban for dynamic IP

Why not use CIDR network like '192.168.0.0/24'? Isn't it easier? and no maintenance required.

10

Re: Whitelisting in Fail2ban for dynamic IP

This wouldn't help. The Server is not in school and there is no definitive IP range out oft which our school gets its IP adresses. So it variies each day.