Am 13.06.20 um 16:28 schrieb Mathias Homann:
Am Samstag, 13. Juni 2020, 16:16:19 CEST schrieb
Andreas Ernst:
Chain f2b-dovecot (1 references)
[...]
Für mich sieht das soweit ok aus, nur die
firewalld rejected nicht. Die
Regeln sind vorhanden, oder wie siehst Du das?
Die f2b-dovecot chain existiert, aber wird die auch von den defaultregeln
angesprungen?
Irgendwie sieht das bei mir alles ganz anders aus:
in der Firewall selber gibt's nur eine regel pro jail, z.B. hier auf meinem
nextcloud server:
nextcloud:~ # iptables -nvL --line-numbers|grep f2b
1 40 2380 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22 match-set f2b-sshd src reject-with
icmp-port-unreachable
2 730 37960 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443 match-set f2b-wordpress-soft src
reject-with icmp-port-unreachable
3 0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443 match-set f2b-wordpress-hard src
reject-with icmp-port-unreachable
Bei mir sieht das so aus:
mail:/etc/fail2ban/ # iptables -nvL --line-numbers|grep f2b
1 149K 19M f2b-dovecot tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 110,995,143,993,587,587,2000
Chain f2b-dovecot (1 references)
und fail2ban trägt dann die entsprechenden Adressen in
die ipsets ein.
Ich denke Du solltest evtl. die aktuellen firewalld und fail2ban versionen aus
den OBS repos installieren, und dann mal die konfiguration abklappern - z.B.
sicherstellen dass fail2ban auch weiss dass es mit firewalld zusammenarbeiten
muss, etc etc.
Informationen zu Paket fail2ban:
--------------------------------
Repository : Haupt-Repository (OSS)
Name : fail2ban
Version : 0.10.4-lp151.1.1
Arch : noarch
Anbieter : openSUSE
Installierte Größe : 1,3 MiB
Installiert : Ja
Status : aktuell
Quellpaket : fail2ban-0.10.4-lp151.1.1.src
Welches Repo meinst Du mit OBS? Ich verwende die Distributions Repos.
Hier die Ausgabe von:
mail:/etc/fail2ban # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-dovecot tcp -- anywhere anywhere
multiport dports pop3,pop3s,imap,imaps,submission,submission,sieve
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate
INVALID
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate
INVALID
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:https ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:bootps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:domain ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:imaps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:ldap ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:ldaps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:mysql ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:ntp ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:netbios-ssn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:microsoft-ds ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:sip ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:sip ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:sip-tls ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:sip-tls ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:svrloc ctstate NEW
ACCEPT udp -- anywhere anywhere udp
dpt:svrloc ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:smtp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:submission ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:sieve ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:appserv-http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:57389 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:55389 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:54306 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:55306 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:57210 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:57200 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:54307 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:25565 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:57017 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:63701 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpt:63702 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp
dpts:55555:60000 ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain f2b-dovecot (1 references)
target prot opt source destination
REJECT all -- 141.98.80.150 anywhere
reject-with icmp-port-unreachable
REJECT all -- 212.70.149.34 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.254 anywhere
reject-with icmp-port-unreachable
REJECT all -- 185.143.72.25 anywhere
reject-with icmp-port-unreachable
REJECT all -- 185.143.72.23 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.150.191 anywhere
reject-with icmp-port-unreachable
REJECT all --
net6-ip66.linkbg.com anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.4 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.253 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.5 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.250 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.252 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.248 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.249 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.150.190 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.6 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.145.251 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.150.188 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.150.153 anywhere
reject-with icmp-port-unreachable
REJECT all -- 46.38.150.142 anywhere
reject-with icmp-port-unreachable
REJECT all --
net6-ip70.linkbg.com anywhere
reject-with icmp-port-unreachable
REJECT all -- 212.70.149.18 anywhere
reject-with icmp-port-unreachable
REJECT all -- 212.70.149.2 anywhere
reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Nach meinem Verständnis wird die Regel f2b-dovecot gezogen.
Grüße
Andreas
--
ae | Andreas Ernst | IT Spektrum
Postfach 5, 65612 Beselich
Schupbacher Str. 32, 65614 Beselich, Germany
Tel: +49-6484-91002 Fax: +49-6484-91003
ae(a)ae-online.de |
www.ae-online.de
www.tachyon-online.de
--
Um die Liste abzubestellen, schicken Sie eine Mail an:
opensuse-de+unsubscribe(a)opensuse.org
Um den Listen Administrator zu erreichen, schicken
Sie eine Mail an: opensuse-de+owner(a)opensuse.org