Hello!
How are you?
I am experiencing a bot attack. My problem is that I created a fail2ban service on Linksys WRT 3200ACM and 1900ACS.
What is weird is that it works with fail2ban, but for some reason it is not working.
Is it because iptables are not working with OpenWrt? It has its own ip tables:
It looks like this:
iptables -L -n
It should be working, but still the attack is happening (the last line show the banned IP):
root@business:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,220,993,110,995,587
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
input_rule all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
zone_lan_input all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_input all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_input all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_openvpn_input all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
forwarding_rule all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_forward all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_forward all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_openvpn_forward all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
reject all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
output_rule all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_output all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_wan_output all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
zone_openvpn_output all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain MINIUPNPD (2 references)
target prot opt source destination
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
REJECT all -- 142.44.131.70 0.0.0.0/0 reject-with icmp-port-unreachable
Maybe I'm missing something, but blocking packets at your firewall doesn't magically make the sender stop sending them, even if you send an unreachable message.
is it possible UDP?
You might want to run a reverse lookup on that IP address. It looks like it starts with mail. and your rule name contains postfix. Somehow I doubt its a "bot attack" given that.
Hi! To find out what I can do, say @discobot display help.
well, there are 5 connections, reverse lookup is wrong (so domain != ip), and every minute it tries to login via my mail server.
but there is a mail.* domain with prt...
i think it looks like an attack.
sorry, i think it am experiencing a bot atteck.
Actually that domain is not registered!
What kind of bot attack?
What makes you think it's an attack?
It should work for that one IP-address.
It should not appear in the mail-server logs after it has been banned.
Are you sure it's not some other IP?
Also note, that fail2ban requires fine tuning to perform the blocking properly.
And the tuning depends on your service version and configuration.
This is what happening:
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: connect from unknown[142.44.131.70]
Feb 16 17:41:37 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:43 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:53 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:42:02 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
It means you should read mail server logs and configure fail2ban-regexps to match those log messages.
as you can see on 2 post, already using with fail2ban (f2b = fail2ban, it is working, fail2ban is right):
root@business:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,220,993,110,995,587
hain f2b-postfix-sasl (1 references)
target prot opt source destination
REJECT all -- 142.44.131.70 0.0.0.0/0 reject-with icmp-port-unreachable
but for some reason is not happening.
the problem is, that iptables-save just saves the ip tables, but fail2ban already using a sql lite server and restores...
what is werid is with openwrt, that the iptables look right, but the "attack" is still happening.
yes, of course, it is a fishy attack 
Show iptables rules dump to verify the rules order is correct:
iptables-save
damn, now it stopped it!!!
i had a similar before:
Your chance to attack then
i do not attack. darn it!