OpenWrt 18.06.2 with fail2ban and iptables

Hello!

How are you?
I am experiencing a bot attack. My problem is that I created a fail2ban service on Linksys WRT 3200ACM and 1900ACS.
What is weird is that it works with fail2ban, but for some reason it is not working.
Is it because iptables are not working with OpenWrt? It has its own ip tables:

It looks like this:
iptables -L -n

It should be working, but still the attack is happening (the last line show the banned IP):

root@business:~# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-postfix-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587,220,993,110,995,587
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
input_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
zone_lan_input  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_input  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_input  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_openvpn_input  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_openvpn_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
reject     all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
output_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_output  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_output  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_openvpn_output  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (2 references)
target     prot opt source               destination         

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  142.44.131.70        0.0.0.0/0            reject-with icmp-port-unreachable

Maybe I'm missing something, but blocking packets at your firewall doesn't magically make the sender stop sending them, even if you send an unreachable message.

is it possible UDP?

You might want to run a reverse lookup on that IP address. It looks like it starts with mail. and your rule name contains postfix. Somehow I doubt its a "bot attack" given that.

@discobot, is that you?

1 Like

Hi! To find out what I can do, say @discobot display help.

well, there are 5 connections, reverse lookup is wrong (so domain != ip), and every minute it tries to login via my mail server.

but there is a mail.* domain with prt...

i think it looks like an attack.

sorry, i think it am experiencing a bot atteck.

Actually that domain is not registered!

What kind of bot attack?
What makes you think it's an attack?

It should work for that one IP-address.
It should not appear in the mail-server logs after it has been banned.

Are you sure it's not some other IP?

Also note, that fail2ban requires fine tuning to perform the blocking properly.
And the tuning depends on your service version and configuration.

This is what happening:

Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: connect from unknown[142.44.131.70]
Feb 16 17:41:37 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:43 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:53 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:42:02 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server

It means you should read mail server logs and configure fail2ban-regexps to match those log messages.

as you can see on 2 post, already using with fail2ban (f2b = fail2ban, it is working, fail2ban is right):

root@business:~# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-postfix-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587,220,993,110,995,587
hain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  142.44.131.70        0.0.0.0/0            reject-with icmp-port-unreachable

but for some reason is not happening.

the problem is, that iptables-save just saves the ip tables, but fail2ban already using a sql lite server and restores...
what is werid is with openwrt, that the iptables look right, but the "attack" is still happening.

yes, of course, it is a fishy attack :slight_smile:

Show iptables rules dump to verify the rules order is correct:

iptables-save

damn, now it stopped it!!!
i had a similar before:

Your chance to attack then

1 Like

i do not attack. darn it!