Fail2ban manager: ban hosts that cause multiple authentication errors GitHub Use case: Simply add an sshd service to prevent blasting View the current rule's work

#SOLVED ##I need to restart the fail2ban-client then the new rules takes effect! Hi, thanks for this cool feature. I tried to create a sshd rule (maxretry = 5, findtime= 300, bantime= 60000) on my server, then use another server to access the SSH with incorrect password for more than 10 times. But seems like nothing happen, no IP was ban. I click on the Log of the rule but just showing Acquisition Failed. Additionally, when i add whitelist IP, in a new line in Whitelist IP tab, it keeps showing IP format is incorrect.

nephilax What Linux distribution are you using? can you run this command and show me the the result？ cat /etc/fail2ban/jail.local

aaPanel_Jose Hi, i am using CentOS Linux release 7.6.1810 (Core) #DEFAULT-START [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 findtime = 300 maxretry = 5 banaction = firewallcmd-ipset action = %(action_mwl)s #DEFAULT-END #jasticker.com-cc-START [jasticker.com-cc] enabled = true filter = aaP_jasticker.com_cc port = 80,443 maxretry = 10 findtime = 300 bantime = 600 action = %(action_mwl)s logpath = /www/wwwlogs/jasticker.com.log #jasticker.com-cc-END #sshd-START [sshd] enabled = true filter = sshd port = 8288 maxretry = 5 findtime = 300 bantime = 6000 action = %(action_mwl)s logpath = /var/log/secure #sshd-END #nginx-404-start [nginx-404] enabled = true port = http,https action = %(action_mwl)s filter = nginx-404 logpath = /www/wwwlogs/jasticker.com.log maxretry = 7 findtime = 300 bantime = 14400 #nginx-404-end nginx-404-error i manually added in after all working well. As per my edit in the original post, it's working well after i restarted the fail2ban-client. Before that, when i run fail2ban-client status, i am not able to see the sshd and cc rules.

nephilax It seems that your allocation is not a problem. Do you have any errors in the command line execution fail2ban-client reload ?

aaPanel_Jose Nope, reload showing ok. Maybe just my server got problem. Let's see any other user facing same issue. At least now mine is working fine now after restarted fail2ban-client.

Hi aaPanel_Jose However, the whitelist IP seems unable to add through the white list tab. I am not just add my own server public IP manually into jail.local

How to use fail2ban manager

aaPanel_Jose

nephilax
Please update to 1.1 to fix this issue

aaP_esales2000

I add a rule to one for one of my websites.
then I wanted to change it, but I receive a log error.
I deleted the rule and when I try to create a new rule for the same domain, I`m getting an error

*The log file does not exist and cannot be created*

Any idea how to solve it?

aaPanel_Kern

aaP_esales2000
Add postfix directly to the Server protection of fail2ban

aaP_esales2000

aaPanel_Kern
I added the postfix rule successfully.
But, I want to add a rule for the web server as well.
The first time, it gives to add successfully a rule,
But, I`m getting a log creation error on two conditions:

when I try to edit an exciting rule.
when I delete the rule and try to add the same rule again.

aaPanel_Kern

aaP_esales2000
WebSite protection Add related sites
Rule file: /etc/fail2ban/jail.local
Please do not change it at will, the panel may not be recognized after the change

aaP_esales2000

aaPanel_Kern
I notice that if i restart the Apache, i`m getting an error:
Apache rule configuration error:
AH00526: Syntax error on line 8 of /www/server/panel/vhost/apache/mydomain.conf:
CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" or "expr=" clause (see docs)

aaPanel_Kern

aaP_esales2000

default configuration
combined

aaP_esales2000

aaPanel_Kern
Working great.
By adding "combined" it solved all issues.
Thank you and have a great weekend

aaP_esales2000

some hacker is sending emails from root@mydomain and root@locahost

May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 4E8C6160062A: removed
May 5 15:46:28 vmi613070 postfix/local[18768]: C56E71601880: to=<root@localhost>, relay=local, delay=16772, delays=16772/0.52/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: C56E71601880: removed
May 5 15:46:28 vmi613070 postfix/local[18765]: 0CBA3160072E: to=<root@localhost>, relay=local, delay=26749, delays=26748/0.52/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 0CBA3160072E: removed
May 5 15:46:28 vmi613070 postfix/local[18768]: 9DB4D160059E: to=<root@localhost>, relay=local, delay=9583, delays=9583/0.53/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 9DB4D160059E: removed
May 5 15:46:28 vmi613070 postfix/local[18767]: 3FCC816007A7: to=<root@localhost>, relay=local, delay=23291, delays=23290/0.53/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 3FCC816007A7: removed
May 5 15:46:28 vmi613070 postfix/local[18765]: C346B1600552: to=<root@localhost>, relay=local, delay=34139, delays=34139/0.54/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: C346B1600552: removed
May 5 15:46:28 vmi613070 postfix/local[18768]: B9B1D16000EB: to=<root@localhost>, relay=local, delay=34140, delays=34139/0.54/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: B9B1D16000EB: removed
May 5 15:46:28 vmi613070 postfix/local[18765]: 95BCF160149C: to=<root@localhost>, relay=local, delay=4029, delays=4029/0.55/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 95BCF160149C: removed
May 5 15:46:28 vmi613070 postfix/local[18767]: AFAAE1600113: to=<root@localhost>, relay=local, delay=28708, delays=28708/0.55/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: AFAAE1600113: removed
May 5 15:46:29 vmi613070 postfix/local[18766]: B222B1601485: to=<root@localhost>, relay=local, delay=21982, delays=21981/0.03/0/0.91, dsn=2.0.0, status=sent (delivered to mailbox)
.....
May 5 15:46:28 vmi613070 postfix/master[18761]: daemon started -- version 3.4.7, configuration /etc/postfix
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: warning: /etc/postfix/main.cf, line 707: overriding earlier entry: myhostname=mail.mydomain.com
May 5 15:46:28 vmi613070 postfix/pickup[18762]: warning: /etc/postfix/main.cf, line 707: overriding earlier entry: myhostname=mail.mydomain.com
May 5 15:46:28 vmi613070 postfix/qmgr[18763]: 8361616007ED: from=root@vmi613070.hostingdomain.com, size=493, nrcpt=1 (queue active)
May 5 15:46:28 vmi613070 postfix/trivial-rewrite[18764]: warning: /etc/postfix/main.cf, line 707: overriding earlier entry: myhostname=mail.mydomain.com

What is the best way to block it?

aaPanel_Kern

aaP_esales2000
In the Linux system, the root user can send emails by default. However, in order to enhance system security, you can restrict the root user from sending mail by configuring the mail server or changing the settings of the mail client.

Here are some ways you can restrict the root user from sending mail:

Configure mail server: You can configure mail server to prevent root user from sending mail. Specifically, you can create a mail filtering rule on the mail server to prevent the root user from sending mail. For example, in a Postfix mail server, you would add the following to the /etc/postfix/main.cf file:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

Then, add the following to the /etc/postfix/sender_access file:

root REJECT

This will change mailx's default sender address, preventing root from sending mail.

Change the email address of the root user: You can change the email address of the root user to prevent the root user from sending emails. For example, on an Ubuntu system, you can edit the /etc/aliases file and change root's email address to a non-real email address:

root: /dev/null

This will prevent the root user from sending mail.
Note that changing the configuration of the root user may affect the normal operation of the system. Therefore, make sure you know what you are doing and back up important data before changing your system configuration.

aaPanel_Kern

aaPanel_Kern In the Linux system, the root user can send emails by default. However, in order to enhance system security, you can restrict the root user from sending mail by configuring the mail server or changing the settings of the mail client.

Here are some ways you can restrict the root user from sending mail:

Configure mail server: You can configure mail server to prevent root user from sending mail. Specifically, you can create a mail filtering rule on the mail server to prevent the root user from sending mail. For example, in a Postfix mail server, you would add the following to the /etc/postfix/main.cf file:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

Then, add the following to the /etc/postfix/sender_access file:

root REJECT

This will change mailx's default sender address, preventing root from sending mail.

Change the email address of the root user: You can change the email address of the root user to prevent the root user from sending emails. For example, on an Ubuntu system, you can edit the /etc/aliases file and change root's email address to a non-real email address:

root: /dev/null

This will prevent the root user from sending mail.
Note that changing the configuration of the root user may affect the normal operation of the system. Therefore, make sure you know what you are doing and back up important data before changing your system configuration.

aaPanel_Kern Is it possible to send after cancellation?

aaP_esales2000

When i use
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

Im receiving an error while trying to send emails from the primary email account that Im using on my WordPress (info@mydomain.com).
when I remove the sender restrict option from the config file. then it's working again and I can send emails from info@mydomain.com.
i didn't check yet if this issue is with all email accounts.

Mailer: Other SMTP
SMTP Error: The following recipients failed: someemailaddress@gmail.com: : Sender address rejected: Server configuration error

aaPanel_Kern

Is it possible to send after cancellation?
It is recommended to check whether the sender email configuration of wordpress is misconfigured?
Also check whether the ssl of the mail server is configured correctly?
"mail.135mailtest.com" is replaced with your domain name
You can use this command to check whether the correct SSL is configured
openssl s_client -connect mail.135mailtest.com:587 -starttls smtp
or
openssl s_client -connect mail.135mailtest.com:465 -starttls smtp

If the display is not OK, please re-apply for SSL

aaP_esales2000

aaPanel_Kern
Verify return code: 0 (ok)

The sender email is config correctly and the SSL is also ( using Chain SSL ).

Can I give you temporary access to the aaPanel?

aaPanel_Kern

It is recommended to check whether the sender email configuration of wordpress is misconfigured?

aaP_esales2000

aaPanel_Kern
Can you give me a hint on what to look? because it's happening only when I try to reject sending emails from the root.

That is the error that I'm receiving

Versions:
WordPress: 6.0.3
WordPress MS: No
PHP: 7.4.33
WP Mail SMTP: 3.8.0

Params:
Mailer: smtp
Constants: Yes
ErrorInfo: SMTP Error: The following recipients failed: recipient@me.com: : Sender address rejected: Server configuration error
Host: mail.mydomain.com
Port: 465
SMTPSecure: ssl
SMTPAutoTLS: bool(true)
SMTPAuth: bool(true)

Server:
OpenSSL: OpenSSL 1.0.2u 20 Dec 2019

Debug:
Email Source: WP Mail SMTP Pro
Mailer: Other SMTP
PHPMailer was able to connect to SMTP server but failed while trying to send an email.
Email Source: WP Mail SMTP Pro
Mailer: Other SMTP
SMTP Error: The following recipients failed: recipient@me.com: : Sender address rejected: Server configuration error

SMTP Debug:
2023-05-08 05:33:55 Connection: opening to ssl://mail.mydomain.com:465, timeout=300, options=array()

2023-05-08 05:33:55 Connection: opened

2023-05-08 05:33:55 SERVER -> CLIENT: 220 mail.mydomain.com ESMTP Postfix (3.4.7)

2023-05-08 05:33:55 CLIENT -> SERVER: EHLO tikair.co.il

2023-05-08 05:33:55 SERVER -> CLIENT: 250-mail.mydomain.com250-PIPELINING250-SIZE 102400000250-VRFY250-ETRN250-AUTH PLAIN LOGIN250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN250-SMTPUTF8250 CHUNKING

2023-05-08 05:33:55 CLIENT -> SERVER: AUTH LOGIN

2023-05-08 05:33:55 SERVER -> CLIENT: 334 VXNlcm5hbWU6

2023-05-08 05:33:55 CLIENT -> SERVER: [credentials hidden]

2023-05-08 05:33:55 SERVER -> CLIENT: 334 UGFzc3dvcmQ6

2023-05-08 05:33:55 CLIENT -> SERVER: [credentials hidden]

2023-05-08 05:33:55 SERVER -> CLIENT: 235 2.7.0 Authentication successful

2023-05-08 05:33:55 CLIENT -> SERVER: MAIL FROM:noreply@mydomain.com

2023-05-08 05:33:55 SERVER -> CLIENT: 250 2.1.0 Ok

2023-05-08 05:33:55 CLIENT -> SERVER: RCPT TO:recipient@me.com

2023-05-08 05:33:55 SERVER -> CLIENT: 451 4.3.5 noreply@mydomain.com: Sender address rejected: Server configuration error

2023-05-08 05:33:55 SMTP ERROR: RCPT TO command failed: 451 4.3.5 noreply@mydomain.com: Sender address rejected: Server configuration error

2023-05-08 05:33:55 CLIENT -> SERVER: QUIT

2023-05-08 05:33:55 SERVER -> CLIENT: 221 2.0.0 Bye

2023-05-08 05:33:55 Connection: closed

SMTP Error: The following recipients failed: recipient@me.com: noreply@mydomain.com: Sender address rejected: Server configuration error

aaP_esales2000

That my mail config

readme_directory = /usr/share/doc/postfix3-3.4.7/README_FILES
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
virtual_mailbox_domains = sqlite:/etc/postfix/sqlite_virtual_domains_maps.cf
virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_mailbox_maps.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
virtual_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 102400000
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_protocol = 6
milter_default_action = accept
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
smtpd_recipient_limit = 400
#smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

smtpd_tls_chain_files = /www/server/panel/plugin/mail_sys/cert/mydomain.com/privkey.pem,/www/server/panel/plugin/mail_sys/cert/mydomain.com/fullchain.pem
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

aaPanel_Kern

aaP_esales2000
Hello, is it normal for Send mail to use the relevant user to send mail in the mail server?
Is it normal to add a # comment to the configuration of milter_mail_macros and restart postfix?

aaP_esales2000

aaPanel_Kern
The email accounts that I'm using in WordPress is a General User ( info@mydomain.com and noreply@mydomain.com )

I comment milter_mail_macros...

I`m still getting the same error..

aaPanel_Kern

aaPanel_Kern Hello, is it normal for Send mail to use the relevant user to send mail in the mail server?

aaP_esales2000