Resolved Fail2ban adding legit customers to ban list

[seqoi]

I have a problem which i could not resolve by myself. It happens randomly but on often basis.

Allow me to describe.

There are more of users not jut specific one but for description i am only using "Customer A".

Customer A only interaction with my server is through their Outlook email clients. So basically only for reading and sending emails.

Customer A is getting on Banned IP addressed with these activated jails: "plesk-postfix" and or "recidive". Both have value of 5 for max retry. I am aware of what these jails are for but follow me further.

On random occasion like every two weeks, sometimes every two days Customer A is triggering above mentioned jails and he is getting on ban list and after that obviously i am getting phone calls because company can't use email. Why?

I myself did Outlook setup and there is nothing wrong with it. There is zero chance customer is adding wrong password (so triggering jails ) because it is saved in outlook.

What they are doing or not doing or why Fail2Ban add them to the list. I don't think it's wrong Fail2ban configuration because customers from other subscriptions does not have such problems. For now my solution is to log in to plesk and to unban them manually.

But why they are getting on that list in the first place anyway? They only interaction is through Outlook and why does it work for some period then Ban! Is there a specific log?I mean
/var/log/fail2ban.log does not tell me why it just say banned.

For now i deactivated these two jails which is not good thing i know. Is there an option where i can add pol/range of that provider IP addresses so Fail2ban does not trigger and ban them?

 

[OverWolf]

If your customers have a staatic ip, you can put their IP in "trusted IP address" under Fail2Ban section on plesk

 

[seqoi]

If your customers have a staatic ip, you can put their IP in "trusted IP address" under Fail2Ban section on plesk

I am aware of that feature and i use it but not for this particular customers, no they don't have static IP (sadly). Thanks for responding.

 

[UFHH01]

Hi seqoi,

But why they are getting on that list in the first place anyway? They only interaction is through Outlook and why does it work for some period then Ban! Is there a specific log?I mean
/var/log/fail2ban.log does not tell me why it just say banned.

The "plesk-postfix" jail uses the standart fail2ban - filter "postfix-sasl" and you could inspect the used "failregex" and "ignoreregex" definitions, to inform yourself about it:

cat /etc/fail2ban/filter.d/postfix-sasl.conf

With this information, you could now head over to your defined log - file(s) ( the definitions can be seen over the Plesk Control Panel, or again over the command line ):

cat /etc/fail2ban/jail.d/plesk.conf

... and you could now investigate WHY a specific IP has been banned:

find /var/log -type f -name "maillog" -exec grep --color -Hni "authentication failed" {} \;

or

find /var/log -type f -name "maillog" -exec grep --color -Hni "XXX.XXX.XXX.XXX" {} \;

The idea to whitelist the ISP - provider pool

Is there an option where i can add pol/range of that provider IP addresses so Fail2ban does not trigger and ban them?

... is a bad idea, as these are far too much IPs and it's nearly the same as disabling the corresonding jails.

 

[Bitpalast]

There is zero chance customer is adding wrong password (so triggering jails ) because it is saved in outlook. ... They only interaction is through Outlook and why does it work for some period then Ban!

Ask your customers about and look out for smartphones. When they have an e-mail software configured, it will be sufficient that a single phone in the wifi field of the local router of your customer tries to login with false credentials. It can be a device that has never even used the mailbox. If a user had entered the server's domain or the customer's domain, the phone will try to connect. When the phone is in the wifi network, it uses the landline router IP. The false login attempts will cause the block. Incomplete login attempts will trigger a ban, too.

This can easily be checked against the /var/log/maillog entries. Simply look for the "unauthorized" lines when the situation occurs. Before or in that line you will find the e-mail "address" that the device tried to login with. Normally the culprit can then easily be found.

 

[seqoi]

Thank you all! It was what Peter mentioned. Customer had smartphone trying to access mail with long credentials. Since it was connected to the same wifi where computer is connected server banned it.

Case closed.

Thank you all once again. Help much appreciated!

 

[vaelu]

Hello guys

We have the exact problem like @seqoi had, and we are currently investigating this. I will update this thread once I found the problem.

Thanks in advance for the tips.

 

[seqoi]

Hello guys

We have the exact problem like @seqoi had, and we are currently investigating this. I will update this thread once I found the problem.

Thanks in advance for the tips.

In my case it was customers having old credentials on their smartphones / tablets. Even though i asked them they were not aware of it. After my thorough inspection of log files i called them again and said "look it's you and some of your devices" and that motivated them to look closely and to actually delete/update old accounts.

Hopefully you'll nail your problem swiftly.

 

[vaelu]

In my case it was customers having old credentials on their smartphones / tablets. Even though i asked them they were not aware of it. After my thorough inspection of log files i called them again and said "look it's you and some of your devices" and that motivated them to look closely and to actually delete/update old accounts.

Hopefully you'll nail your problem swiftly.

I just had a phone call with the customer which is facing the issue and yes, he has a Smartphone which is connected to the mailbox over his Wifi, but the strange this is, the credentials aren't wrong. He told me that he still received emails on his phone while on the computer it wasn't working anymore (because the IP was blocked). But that does not really make sense for me because the Smartphone should have the same IP.

 

[seqoi]

He told me that he still received emails on his phone while on the computer it wasn't working anymore

That's subject of debate in my opinion. Who know what he have in his setup. Most of the time customers usually are not knowledgeable about these things.

Perhaps he's having gmail accounts as well or some forwarding hence he is receiving his email through gmail import or something. You can't really tell unless you phone him and walk him through. Ask him which application he uses, perhaps only gmail, perhaps only dedicated email client (shipped with phone), in most of the cases they use both and aren't even aware of it.

You'll need to do boring stuff. Call him and walk him through. Good luck.