1 Topic by Akiba

  • Akiba
  • Member
  • Offline
  • Registered: 2016-12-14
  • Posts: 32

Topic: Fail2ban keeps locking me out

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.951
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi,
I've had to uninstall fail2ban, because it kept locking me out.
Can somebody tip me how to manage lockouts easily? Fail2ban is necessary, but I've no idea how to tame the beast.
Cheers,
Jakub

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Fail2ban keeps locking me out

*) If you're running a new server, it's ok to disable fail2ban for few days temporarily. After all users are settle down, enable it. And slightly increase the 'maxretry' numbers.
*) if your server already runs for some months, you need to check why users are always blocked. Which ban rule was triggered? Why?

3 Reply by SteveLuxe

  • SteveLuxe
  • Member
  • Offline
  • Registered: 2015-06-02
  • Posts: 115

Re: Fail2ban keeps locking me out

If you want to prevent yourself from getting locked out, you can use the "ignoreip" option in Fail2ban. In /etc/fail2ban/jail.local, (/usr/local/etc/fail2ban/jail.local in FreeBSD, etc.) under each definition for a service, you can have your IP address whitelisted, and put a list of IP addresses to be ignored by Fail2ban like this:

[sshd]
enabled     = true
filter      = sshd
action      = iptables[name=sshd, port="ssh", protocol=tcp]
logpath     = /var/log/auth.log
findtime    = 90
maxretry    = 2
ignoreip     = 127.0.0.1 10.0.0.0/8 192.168.1.3

I hope this helps!