Massive Bruteforce attacke seit Wochen

Ganzjahresgriller

It looks like you are not retrieving data from AbuseIPDB and yes you can see everything in the journal. What is happening if you start the script manually?

maybl8

Ganzjahresgriller

[demo@mail mailcow-dockerized]$ sudo ./abuseipdb.sh
[sudo] password for demo:
Retrieve IPs from AbuseIPDB
Ensure the ipsets exist
Flush existing ipset entries
Process each IP and add it to the appropriate ipset
Ensure iptables/ip6tables rules exist at the top
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.


All done, have fun.

Check your current iplist entries with 'ipset list | less'

Your APIv2 Daily Request Limits
Endpoint	Usage / Daily Limit	Utilization Rate
blacklist	1 / 5	20%
bulk-report	0 / 5	0%
check	0 / 1,000	0%
check-block	0 / 100	0%
clear-address	0 / 5	0%
report	0 / 1,000	0%
reports	0 / 100	0%
Notify me when I exhaust my daily API limit for an endpoint.

Ganzjahresgriller

Did you enter the API key in the script? Does the file /tmp/abuseipdb_blacklist.txt exist?

DocFraggle

Ganzjahresgriller Did you enter the API key in the script? Does the file /tmp/abuseipdb_blacklist.txt exist?

As running the script manually is working, both must exist.

@maybl8 As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t se the directory your running it from manually

maybl8

Ganzjahresgriller
Yes here is a partial output of the blacklist.txt files shows

115.190.40.219
45.93.20.57
154.213.200.14
103.77.246.172
92.255.85.107
148.113.210.228
161.35.51.178
206.168.34.162
27.24.224.91
218.92.0.221
165.232.185.147
195.154.211.56
112.199.83.117

Here is the beginning of the script file:

#!/bin/bash

# Adjust the values of the following variables
ABUSEIP_API_KEY="3ee79b41cfb33e7bb91b33cfb16382070da6aed253dffa9b8d2a619b409db9fe9fa3a6fa4c0f671c"
ABUSEIPDB_LIST="/tmp/abuseipdb_blacklist.txt"

DocFraggle

DocFraggle @maybl8 As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t see the directory you’re running it from manually

What about my question?

maybl8 I have an ip6tables.rules file but it only has this in it:

What’s the output of

ip6tables -nL

DocFraggle

maybl8
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.

Something’s not right here at least… or do you have IPv6 disabled?

maybl8

DocFraggle I probably have it disabled but I don’t remember.
I will look into that.

I see this in mailcow.conf

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

I have an ip6tables.rules file but it only has this in it:

# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

maybl8

DocFraggle not sure how to answer your path question.
Here is the ip6tables command

[demo@mail iptables]$ sudo ip6tables -nL
[sudo] password for demo:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ts-input   all  --  ::/0                 ::/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  ::/0                 ::/0
DOCKER-FORWARD  all  --  ::/0                 ::/0
ts-forward  all  --  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:443
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:80
DROP       all  --  ::/0                 ::/0
DROP       all  --  ::/0                 ::/0

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination
DOCKER     all  --  ::/0                 ::/0
DOCKER     all  --  ::/0                 ::/0

Chain DOCKER-CT (1 references)
target     prot opt source               destination
ACCEPT     all  --  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
ACCEPT     all  --  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination
DOCKER-CT  all  --  ::/0                 ::/0
DOCKER-ISOLATION-STAGE-1  all  --  ::/0                 ::/0
DOCKER-BRIDGE  all  --  ::/0                 ::/0
ACCEPT     all  --  ::/0                 ::/0
ACCEPT     all  --  ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  ::/0                 ::/0
DOCKER-ISOLATION-STAGE-2  all  --  ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  ::/0                 ::/0
DROP       all  --  ::/0                 ::/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  ::/0                 ::/0

Chain ts-forward (1 references)
target     prot opt source               destination
MARK       all  --  ::/0                 ::/0                 MARK xset 0x40000/0xff0000
ACCEPT     all  --  ::/0                 ::/0                 mark match 0x40000/0xff0000
ACCEPT     all  --  ::/0                 ::/0

Chain ts-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  fd7a:115c:a1e0::e601:2f68  ::/0
ACCEPT     all  --  ::/0                 ::/0
ACCEPT     udp  --  ::/0                 ::/0                 udp dpt:41641

DocFraggle

maybl8 not sure how to answer your path question

OK, let me rephrase 🙂 Is your script “abuseipdb.sh” located in the directory /etc/iptables/ or is it stored in another directory?

maybl8 Here is the ip6tables command

So there’s indeed no MAILCOW chain, it must be disabled then.

maybl8

DocFraggle

[demo@mail /]$ ls -la /etc/iptables
total 36
drwxr-xr-x   2 root root  4096 Mar 31 15:12 .
drwxr-xr-x 104 root root 12288 Apr  1 08:00 ..
-rwxr-xr-x   1 root root  4570 Mar 29 12:48 abuseipdb.sh
lrwxrwxrwx   1 root root    36 Mar 22 13:58 empty.rules -> ../../usr/share/iptables/empty.rules
-rw-r--r--   1 root root   105 Mar 22 13:58 ip6tables.rules
-rw-r--r--   1 root root  7388 Mar 25 15:56 iptables.rules
lrwxrwxrwx   1 root root    46 Mar 22 13:58 simple_firewall.rules -> ../../usr/share/iptables/simple_firewall.rules

Where would it be disabled at?

DocFraggle

maybl8 Where would it be disabled at?

Maybe you followed this documentation? https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/
I don’t know 😃

About the cronjob, you entered that line via crontab -e as the root user?

maybl8

DocFraggle Here is the section in the docker-compose.yml

networks:
  mailcow-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-mailcow
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}

I did not use root for the cron job. Is that the issue?

curiosity

DocFraggle

Wo genau hängt denn bei Dir jetzt ein http Plugin drin?

Das Plugin ist von Crowdsec -> https://docs.crowdsec.net/docs/v1.3.4/notification_plugins/http
bisher hatte ich das für die Benachrichtung über Telegram benutzt und jetzt für die Übermittlung der bösen IP zusätzlich an AbuseIPdb erweitert. Hat heute schon 14 IPs gemeldet.

@Ganzjahresgriller: Ging die Frage von dir an mich? Wenn ja, soll ich das in diesem Thread posten oder lieber was eigenes?

[unknown] I did not use root for the cron job. Is that the issue?

Yes, root rights are required to apply iptables rules

[unknown] I did not use root for the cron job. Is that the issue?

Yes, root rights are required to apply iptables rules

DocFraggle

curiosity Yes, root rights are required to apply iptables rules

What he said 😃

maybl8

DocFraggle OK I removed the cron job as the user and re added it as root user.
I will now wait for 5 hours and see if that works.

I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?

curiosity

DocFraggle

Ups, das sollte eigentlich die Frage von @maybl8 beantworten. Aber da ist wohl was schief gelaufen mit mein Posting. 🙃 Dummerweise kann man das aber leider nicht mehr editieren.

DocFraggle

maybl8 I will now wait for 5 hours and see if that works.

OK, 20:00 will be the next run

maybl8 I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?

No, you can ignore this.

maybl8

DocFraggle
Checked my blacklist file this morning . Date hasn’t changed so I don’t think the cron job is working for me.

-rw-r--r--  1 root root 142377 Apr  1 11:29 abuseipdb_blacklist.txt

I changed it to run as root.

[demo@mail tmp]$ sudo crontab -l
[sudo] password for demo:
0 */5 * * * /etc/iptables/abuseipdb.sh

[demo@mail tmp]$ cd /etc/iptables
[demo@mail iptables]$ ls
abuseipdb.sh  empty.rules  ip6tables.rules  iptables.rules  simple_firewall.rules

semaf

Wie ist es wenn wir aus SASL Logins aus den mailcow logs abgreifen, diese
in die iptables setzen wenn Benutzer unbekannt ist? Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?

DocFraggle

semaf Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?

Ja, normales Grundrauschen. Sollte aber von Fail2Ban geregelt werden, da braucht man nichts extra machen

« Previous Page Next Page »