I'm running an Ubuntu server with Postfix serving as a mail relay. To prevent brute force attacks, I installed Fail2Ban and configured it to look at /var/log/mail.log
to ban IPs accordingly. I'm using the default Postfix filter [FAIL2BAN_FOLDER]/filter.d/postfix.conf
that comes with Fail2Ban, configured to the strictest detection mode so that it captures SASL login failures too.
The regex in postfix.conf
that catches failed Postfix logins is as follows:
^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server
It perfectly captures all failed logins to the mail relay, and using fail2ban-client status postfix
will show me all the IPs that have been banned for brute forcing. However, when I check iptables --list
, I get some entries that do not ban IP addresses, but domain names instead. Below are some examples:
target prot opt source destination
REJECT all -- vm5403.hv8.ru anywhere reject-with icmp-port-unreachable
REJECT all -- 179.185.35.150.static.gvt.net.br anywhere reject-with icmp-port-unreachable
I don't use iptables
independently, but only through Fail2Ban. Is this something I should be concerned about? What I can do to rectify it if it happens to be an issue?