GermanGanzjahresgriller Did you enter the API key in the script? Does the file /tmp/abuseipdb_blacklist.txt exist?
As running the script manually is working, both must exist.
@maybl8 As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t se the directory your running it from manually
Ganzjahresgriller
Yes here is a partial output of the blacklist.txt files shows
115.190.40.219
45.93.20.57
154.213.200.14
103.77.246.172
92.255.85.107
148.113.210.228
161.35.51.178
206.168.34.162
27.24.224.91
218.92.0.221
165.232.185.147
195.154.211.56
112.199.83.117
Here is the beginning of the script file:
#!/bin/bash
# Adjust the values of the following variables
ABUSEIP_API_KEY="3ee79b41cfb33e7bb91b33cfb16382070da6aed253dffa9b8d2a619b409db9fe9fa3a6fa4c0f671c"
ABUSEIPDB_LIST="/tmp/abuseipdb_blacklist.txt"
maybl8
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
Something’s not right here at least… or do you have IPv6 disabled?
DocFraggle I probably have it disabled but I don’t remember.
I will look into that.
I see this in mailcow.conf
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
I have an ip6tables.rules file but it only has this in it:
# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
DocFraggle
@maybl8
As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t see the directory you’re running it from manually
What about my question?
maybl8 I have an ip6tables.rules file but it only has this in it:
What’s the output of
ip6tables -nL
DocFraggle not sure how to answer your path question.
Here is the ip6tables command
[demo@mail iptables]$ sudo ip6tables -nL
[sudo] password for demo:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ts-input all -- ::/0 ::/0
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- ::/0 ::/0
DOCKER-FORWARD all -- ::/0 ::/0
ts-forward all -- ::/0 ::/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:587
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:465
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:25
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:4190
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:995
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:993
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:143
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:110
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::a tcp dpt:443
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::a tcp dpt:80
DROP all -- ::/0 ::/0
DROP all -- ::/0 ::/0
Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER all -- ::/0 ::/0
DOCKER all -- ::/0 ::/0
Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT all -- ::/0 ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- ::/0 ::/0 ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT all -- ::/0 ::/0
DOCKER-ISOLATION-STAGE-1 all -- ::/0 ::/0
DOCKER-BRIDGE all -- ::/0 ::/0
ACCEPT all -- ::/0 ::/0
ACCEPT all -- ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- ::/0 ::/0
DOCKER-ISOLATION-STAGE-2 all -- ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- ::/0 ::/0
DROP all -- ::/0 ::/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- ::/0 ::/0
Chain ts-forward (1 references)
target prot opt source destination
MARK all -- ::/0 ::/0 MARK xset 0x40000/0xff0000
ACCEPT all -- ::/0 ::/0 mark match 0x40000/0xff0000
ACCEPT all -- ::/0 ::/0
Chain ts-input (1 references)
target prot opt source destination
ACCEPT all -- fd7a:115c:a1e0::e601:2f68 ::/0
ACCEPT all -- ::/0 ::/0
ACCEPT udp -- ::/0 ::/0 udp dpt:41641
Is your script “abuseipdb.sh” located in the directory /etc/iptables/ or is it stored in another directory?[demo@mail /]$ ls -la /etc/iptables
total 36
drwxr-xr-x 2 root root 4096 Mar 31 15:12 .
drwxr-xr-x 104 root root 12288 Apr 1 08:00 ..
-rwxr-xr-x 1 root root 4570 Mar 29 12:48 abuseipdb.sh
lrwxrwxrwx 1 root root 36 Mar 22 13:58 empty.rules -> ../../usr/share/iptables/empty.rules
-rw-r--r-- 1 root root 105 Mar 22 13:58 ip6tables.rules
-rw-r--r-- 1 root root 7388 Mar 25 15:56 iptables.rules
lrwxrwxrwx 1 root root 46 Mar 22 13:58 simple_firewall.rules -> ../../usr/share/iptables/simple_firewall.rules
Where would it be disabled at?
maybl8 Where would it be disabled at?
Maybe you followed this documentation? 
Disable IPv6 - mailcow: dockerized documentation docs.mailcow.email
I don’t know 
About the cronjob, you entered that line via crontab -e as the root user?
DocFraggle Here is the section in the docker-compose.yml
networks:
mailcow-network:
driver: bridge
driver_opts:
com.docker.network.bridge.name: br-mailcow
enable_ipv6: true
ipam:
driver: default
config:
- subnet: ${IPV4_NETWORK:-172.22.1}.0/24
- subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
I did not use root for the cron job. Is that the issue?
Wo genau hängt denn bei Dir jetzt ein http Plugin drin?
Das Plugin ist von Crowdsec -> 
HTTP Plugin | CrowdSec docs.crowdsec.net
bisher hatte ich das für die Benachrichtung über Telegram benutzt und jetzt für die Übermittlung der bösen IP zusätzlich an AbuseIPdb erweitert. Hat heute schon 14 IPs gemeldet.
@Ganzjahresgriller: Ging die Frage von dir an mich? Wenn ja, soll ich das in diesem Thread posten oder lieber was eigenes?
[unknown] I did not use root for the cron job. Is that the issue?
Yes, root rights are required to apply iptables rules
[unknown] I did not use root for the cron job. Is that the issue?
Yes, root rights are required to apply iptables rules
curiosity Yes, root rights are required to apply iptables rules
What he said
DocFraggle OK I removed the cron job as the user and re added it as root user.
I will now wait for 5 hours and see if that works.
I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?
Ups, das sollte eigentlich die Frage von @maybl8 beantworten. Aber da ist wohl was schief gelaufen mit mein Posting. 
Dummerweise kann man das aber leider nicht mehr editieren.
Wie ist es wenn wir aus SASL Logins aus den mailcow logs abgreifen, diese
in die iptables setzen wenn Benutzer unbekannt ist? Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?
semaf Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?
Ja, normales Grundrauschen. Sollte aber von Fail2Ban geregelt werden, da braucht man nichts extra machen
DocFraggle
Checked my blacklist file this morning . Date hasn’t changed so I don’t think the cron job is working for me.
-rw-r--r-- 1 root root 142377 Apr 1 11:29 abuseipdb_blacklist.txt
I changed it to run as root.
[demo@mail tmp]$ sudo crontab -l
[sudo] password for demo:
0 */5 * * * /etc/iptables/abuseipdb.sh
[demo@mail tmp]$ cd /etc/iptables
[demo@mail iptables]$ ls
abuseipdb.sh empty.rules ip6tables.rules iptables.rules simple_firewall.rules
Hmm, please change the crontab entry to:
0 */5 * * * /etc/iptables/abuseipdb.sh 1>/var/log/abuseipdb.log 2>&1
This will create a log file (/var/log/abuseipdb.log) which includes potential error messages. Check it after the next run (15:00)
DocFraggle Thanks I’ll let you know the result. Shouldn’t it run sooner than that?
It is 7:14 am here EDT
I thought the cronjob is running every 5 hours.
So it would run at:
12:00 AM
5:00 AM
10:00 AM
3:00 PM (15:00)
8:00 PM (20:00)
Then 01:00 AM the next day.