How to find out why Fail2ban blocked a user

Fail2ban doesn’t have logging to show you that a which “user” gets blocked.

The reason is Fail2ban is a low level utility that works across many technologies, mostly on IP and log file level. The log file level typically uses regular expressions. So to get Fail2ban to for example log which IMAP or SMTP user is blocked, is not possible.

Instead the way to go is to interrogate two log files:

  1. The fail2ban log file
  2. The system log, e.g. syslog or /var/log/messages or the authentication log

In this example we’ll show you a fruitless attempt to see which user is causing an entire network to be blocked from one of our servers. The reason why this attempt was fruitless is because the actual problem was is that there is an email client on the end-users’ network that have SMTP configured without authentication. So in effect, it tries to connect to our outgoing server without a username. So in fact, checking for authentication failures doesn’t work. But do note in some circumstances you will see the actual user, just not this time.

How to check the Fail2ban log file for bans

This would be step one to get the correct information on THE TIME OF THE INCIDENT.

cat /var/log/fail2ban.log | grep "Ban a.b.c.d"
2021-07-22 09:13:05,428 fail2ban.actions [4086392]: NOTICE [postfix-sasl] Ban a.b.c.d
2021-07-22 09:13:05,707 fail2ban.actions [4086392]: NOTICE [postfix-sasl2] Ban a.b.c.d

We can see the time is 09:13:05. Since bans would most likely occur after security logging, we can assume that the problem occurred a few milliseconds or a second or two before 09:13:05.

How to check Syslog for Authentication Failures

The next grep is more tricky, because on a really busy server you might have 100s of events per minute. But here is a start:

at /var/log/syslog | grep "a.b.c.d"
Jul 22 09:08:50 mail-server dovecot: pop3-login: Login: [email protected], method=PLAIN, rip=a.b.c.d, lip=z.y.x.w, mpid=1416314, session=<ieZ79bDHEchpuFzk>
Jul 22 09:13:01 mail-server postfix/smtpd[1416262]: warning: hostname a-b-c-d.north.dsl.telkomsa.net does not resolve to address a.b.c.d: Name or service not known
Jul 22 09:13:01 mail-server postfix/smtpd[1416262]: connect from unknown[a.b.c.d]
Jul 22 09:13:03 mail-server postfix/smtpd[1416262]: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure
Jul 22 09:13:04 mail-server postfix/smtpd[1416262]: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure
Jul 22 09:13:06 mail-server postfix/smtpd[1416262]: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure
Jul 22 09:13:08 mail-server postfix/smtpd[1416262]: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure
Jul 22 09:13:08 mail-server postfix/smtpd[1416262]: lost connection after AUTH from unknown[a.b.c.d]
Jul 22 09:13:08 mail-server postfix/smtpd[1416262]: disconnect from unknown[a.b.c.d] ehlo=1 auth=0/4 commands=1/5

If you’ve followed along you will see that the events from 09:13:01 to 09:13:04 most likely caused Fail2ban to kick in, after which it would have implemented a firewall rule. That rule implementation probably takes another second or two including firewall apply, and that would explain events  09:13:06 to 09:13:08

There you go! Masterclass in network administration. AKA, find a needle in a haystack 😉

Script to Check for Bans

Here is a Bash script to check for bans.

Please note syslog.1 is used, which on our system shows the day before. If you want to see today, use syslog instead.

#!/bin/bash

# Obtain an IP address from the command line
ip_address=$1

echo "Now searching for $ip_address in /var/log/fail2ban.log"
cat /var/log/fail2ban.log | grep "Ban $ip_address"

echo "Please enter the first four digits of the date and time of the Ban outputted above, including the colon. E.g. 26 21:03"
read the_log_date_and_time

cat /var/log/syslog.1 | egrep "$the_log_date_and_time:.*$ip_address"

Most of the magic in the above script is the egrep command which allows regular expressions. In this case:

> Find the log date and time as specified on the input then match any character till you find the ip address.

Cross Reference

On Mac Mail, and Outlook, How do I ensure that the outgoing server is using authentication?

Other References

 

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top