0

I'm running an Ubuntu server with Postfix serving as a mail relay. To prevent brute force attacks, I installed Fail2Ban and configured it to look at /var/log/mail.log to ban IPs accordingly. I'm using the default Postfix filter [FAIL2BAN_FOLDER]/filter.d/postfix.conf that comes with Fail2Ban, configured to the strictest detection mode so that it captures SASL login failures too.

The regex in postfix.conf that catches failed Postfix logins is as follows:

^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server

It perfectly captures all failed logins to the mail relay, and using fail2ban-client status postfix will show me all the IPs that have been banned for brute forcing. However, when I check iptables --list, I get some entries that do not ban IP addresses, but domain names instead. Below are some examples:

target     prot opt source               destination
REJECT     all  --  vm5403.hv8.ru        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  179.185.35.150.static.gvt.net.br  anywhere             reject-with icmp-port-unreachable

I don't use iptables independently, but only through Fail2Ban. Is this something I should be concerned about? What I can do to rectify it if it happens to be an issue?

Improve this question

1 Answer 1

Reset to default
5

I don't think that this is something that fail2ban actually does, rather I suspect that you are being confused by iptables --list looking up the names for presentation purposes.

Add -n to your iptables --list command to disable this.

From the iptables manual (emphasis added):

-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use
iptables -L -v
or iptables-save(8).

Improve this answer
1
  • Thanks! No wonder iptables --list was taking so long to execute. It was doing an rDNS. It's a relief to know that my fail2ban is configured right.
    – John Doe
    Commented Dec 10, 2018 at 7:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .