VestaCP - Fail2Ban & iptables problem

  • Hello there 🙂 thanks for the wonderful guides!
    I have a vps in hetzner with Centos 7.7 and I am facing a huge problem!
    The datacenter of hetzner is infested with bots and my server is getting hammer by bots that are trying to hack my server.
    Luckily i'm using ssh key and not password but still i see in the logs gazillions attempts to login as root. Anyway, my problem is that fail2ban doesn't work correctly and restarts constantly the iptables which in turn blocks all access to my mail server!
    If i turn off the fail2ban, iptables works very good and I can use my mail server normally, when I turn the fail2ban on, iptables is constantly on 0 minutes up time and I can't connect to my email server.
    All other services seems to work correct, only mail server seems to be affected but then again i see billions of attempts to connect to it without any of those accounts existing!
    My config for fail2ban:
    enabled = true
    filter = repeat-offender
    action = vesta-repeat[name=REPEAT]
    logpath = /var/log/fail2ban.log

    If 3 bans in 24 hours, ban for a month

    bantime = 2592000
    findtime = 86400
    maxretry = 1

    enabled = true
    filter = sshd
    action = vesta[name=SSH]
    logpath = /var/log/secure
    maxretry = 1

    enabled = true
    filter = vsftpd
    action = vesta[name=FTP]
    logpath = /var/log/vsftpd.log
    maxretry = 1

    enabled = true
    filter = exim
    action = vesta[name=MAIL]
    logpath = /var/log/exim/main.log
    maxretry = 1

    enabled = true
    filter = dovecot
    action = vesta[name=MAIL]
    logpath = /var/log/dovecot.log
    maxretry = 1

    enabled = false
    filter = mysqld-auth
    action = vesta[name=DB]
    logpath = /var/log/mysqld.log
    maxretry = 1

    enabled = true
    filter = vesta
    action = vesta[name=VESTA]
    logpath = /var/log/vesta/auth.log
    maxretry = 1

    enabled = true
    logpath = /var/log/fail2ban.log
    port = all
    protocol = all
    bantime = 2592000 ; 30 days
    findtime = 864000 ; 1 day
    maxretry = 1

    #enabled = true
    #action = vesta[name=WEB]
    #logpath = /var/log/roundcubemail/errors.log
    #maxretry = 1

  • probably fail2ban is not able to handle such huge log watch

    did you familiar with csf firewall ? I'll recommend you to uninstall/mask/disable fail2ban and firewalld and use csf firewall. Fail2ban is very basic and i didn't use it in any vesta installations.

    I just install the CSF firewall and work with command line
    you can also try this guide for GUI

    also on google you can find many regex config for auto block.

    Also please remember if you block 10 ips or more via iptables your server network will be start getting slower over the growing ip block.

  • Thanks for the reply, no i don't know the csf firewall but I will give it a try!
    Why does vestacp install it since it so bad? (rhetorical question)
    I wish there was just 10 ips attacking my network! There are way too many even to list!
    Isn't there like an online database where I can add those ips so other's won't have attacks by them and also me to get bad ips in my block list for future protection?

  • And since I am not familiar with CSF, I have followed your guide and installed it, it seems to be running!
    One thing, the last part to install it in vestacp seems not to be working, at least when I click on it, it says connection refused even though the port is open and the csf restarted but on the very right of the panel there is a a csf button that seems to be working (now I have 2, CSF Firewall and CSF). On the later i see those warnings:
    I don't want to mesh with it, do I need to change anything? I am connecting to my server as root with ssh key not password

  • @comfuzio you just need to install csf firewall they have now support for vesta. You need to discard last code edit

  • @sandeep you need to follow the "firewall check " option only other you can ignore

  • @sandeep said in VestaCP - Fail2Ban & iptables problem:

    @comfuzio you just need to install csf firewall they have now support for vesta. You need to discard last code edit

    Thanks sandeep! It already looks way better than fail2ban+iptables!
    Any suggestions on how to block perma ips after 1 failed attempt?
    My vps is being accessed only by me so there is no chance that there would be a failed login, the only reason would be someone trying to hack it.
    I'd like to block those attempts right away, not give them second chance, not in 1 hour not ever!

  • @comfuzio you've static ip or dynamic?

  • @sandeep myself? dynamic and I do access it via mobile as well, I do not want to restrict access in general, just when there is 1 wrong pass, perma ban or something

  • change the ssh port and check the csf config there you've failed login ban config.
    SECTION:Login Failure Blocking and Alerts

  • I am using another port for ssh already which have reduced by a lot the hack attempts on ssh but the attacks on mail server are relentless!
    The firewall although configured, doesn't block the attackers IPs. I see in the logs a huge list of attempts to login with different emails (that do not exist) from a few specific IPs. I thought that the firewall would ban them but it does nothing!
    I had to add to the block list manually each of those IPs. I am just hoping that there won't be any new attackers IPs because I am afraid I will have to look the logs myself and add the attackers manually every time

  • After further testing I have found that the default config is not working as, at least for what I want, so I will list a few changes that I have done that might help others:
    LF_TRIGGER = 1

    Then reduced all the:
    LF_SSHD/FTPD/SMTPAUTH etc down to 2. Since I do not have other users or the the users I have know how to use a mail server and there is 0 chance for them to make mistake in the password. Max 2 attempts because I feel generous!
    LF_*_PERM = 1 (by the * i mean ALL services above) this means perma ban. In my case since there is 0 chance to make wrong password it means whoever made the mistake is trying to bye bye forever!!!
    And I have enabled the email notifications for the bans in each and every category.
    Now the csf seems to work as I want it to! I see the perma block list number to increase.
    I just hope that it can handle a large list without slowing down my server!

  • now your email server is still going down ?

    you can configure csf to block ip for email login failure

    provide correct log location path for email under csf config in order to block ip automatically. Check this 2 links for some insight.

  • Thanks, the mail server seems to be working without problems, just the log file with failed attempts have reached 200MB xD

  • @comfuzio said in VestaCP - Fail2Ban & iptables problem:

    I just hope that it can handle a large list without slowing down my server!

    it will definitely slow down network performance when ip block list increases.

Recent Topics