Massive Bruteforce attacke seit Wochen

maybl8 · 2025-04-01T12:55:31+00:00

Ganzjahresgriller
Yes here is a partial output of the blacklist.txt files shows

115.190.40.219
45.93.20.57
154.213.200.14
103.77.246.172
92.255.85.107
148.113.210.228
161.35.51.178
206.168.34.162
27.24.224.91
218.92.0.221
165.232.185.147
195.154.211.56
112.199.83.117

Here is the beginning of the script file:

#!/bin/bash

# Adjust the values of the following variables
ABUSEIP_API_KEY="3ee79b41cfb33e7bb91b33cfb16382070da6aed253dffa9b8d2a619b409db9fe9fa3a6fa4c0f671c"
ABUSEIPDB_LIST="/tmp/abuseipdb_blacklist.txt"

DocFraggle · 2025-04-01T12:57:36+00:00

maybl8
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.

Something’s not right here at least… or do you have IPv6 disabled?

maybl8 · 2025-04-01T13:09:24+00:00

DocFraggle I probably have it disabled but I don’t remember.
I will look into that.

I see this in mailcow.conf

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

I have an ip6tables.rules file but it only has this in it:

# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

DocFraggle · 2025-04-01T13:27:10+00:00

DocFraggle @maybl8
mailcow communityProfile
maybl8
54 225 May 8, 2023
As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t see the directory you’re running it from manually

What about my question?

maybl8 I have an ip6tables.rules file but it only has this in it:

What’s the output of

ip6tables -nL

maybl8 · 2025-04-01T13:38:26+00:00

DocFraggle not sure how to answer your path question.
Here is the ip6tables command

[demo@mail iptables]$ sudo ip6tables -nL
[sudo] password for demo:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ts-input   all  --  ::/0                 ::/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  ::/0                 ::/0
DOCKER-FORWARD  all  --  ::/0                 ::/0
ts-forward  all  --  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:443
ACCEPT     tcp  --  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:80
DROP       all  --  ::/0                 ::/0
DROP       all  --  ::/0                 ::/0

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination
DOCKER     all  --  ::/0                 ::/0
DOCKER     all  --  ::/0                 ::/0

Chain DOCKER-CT (1 references)
target     prot opt source               destination
ACCEPT     all  --  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
ACCEPT     all  --  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination
DOCKER-CT  all  --  ::/0                 ::/0
DOCKER-ISOLATION-STAGE-1  all  --  ::/0                 ::/0
DOCKER-BRIDGE  all  --  ::/0                 ::/0
ACCEPT     all  --  ::/0                 ::/0
ACCEPT     all  --  ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  ::/0                 ::/0
DOCKER-ISOLATION-STAGE-2  all  --  ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  ::/0                 ::/0
DROP       all  --  ::/0                 ::/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  ::/0                 ::/0

Chain ts-forward (1 references)
target     prot opt source               destination
MARK       all  --  ::/0                 ::/0                 MARK xset 0x40000/0xff0000
ACCEPT     all  --  ::/0                 ::/0                 mark match 0x40000/0xff0000
ACCEPT     all  --  ::/0                 ::/0

Chain ts-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  fd7a:115c:a1e0::e601:2f68  ::/0
ACCEPT     all  --  ::/0                 ::/0
ACCEPT     udp  --  ::/0                 ::/0                 udp dpt:41641

DocFraggle · 2025-04-01T13:40:27+00:00

maybl8 not sure how to answer your path question

OK, let me rephrase Is your script “abuseipdb.sh” located in the directory /etc/iptables/ or is it stored in another directory?

maybl8 Here is the ip6tables command

So there’s indeed no MAILCOW chain, it must be disabled then.

maybl8 · 2025-04-01T13:43:36+00:00

DocFraggle

[demo@mail /]$ ls -la /etc/iptables
total 36
drwxr-xr-x   2 root root  4096 Mar 31 15:12 .
drwxr-xr-x 104 root root 12288 Apr  1 08:00 ..
-rwxr-xr-x   1 root root  4570 Mar 29 12:48 abuseipdb.sh
lrwxrwxrwx   1 root root    36 Mar 22 13:58 empty.rules -> ../../usr/share/iptables/empty.rules
-rw-r--r--   1 root root   105 Mar 22 13:58 ip6tables.rules
-rw-r--r--   1 root root  7388 Mar 25 15:56 iptables.rules
lrwxrwxrwx   1 root root    46 Mar 22 13:58 simple_firewall.rules -> ../../usr/share/iptables/simple_firewall.rules

Where would it be disabled at?

DocFraggle · 2025-04-01T13:55:23+00:00

maybl8 Where would it be disabled at?

Maybe you followed this documentation? Disable IPv6 - mailcow: dockerized documentation

docs.mailcow.email

Disable IPv6 - mailcow: dockerized documentation

None

I don’t know

About the cronjob, you entered that line via crontab -e as the root user?

maybl8 · 2025-04-01T14:11:36+00:00

DocFraggle Here is the section in the docker-compose.yml

networks:
  mailcow-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-mailcow
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}

I did not use root for the cron job. Is that the issue?

curiosity · 2025-04-01T14:13:37+00:00

DocFraggle

Wo genau hängt denn bei Dir jetzt ein http Plugin drin?

Das Plugin ist von Crowdsec -> HTTP Plugin | CrowdSec

docs.crowdsec.net

HTTP Plugin | CrowdSec

The HTTP plugin is by default shipped with your CrowdSec installation. The following guide shows how to enable it.

bisher hatte ich das für die Benachrichtung über Telegram benutzt und jetzt für die Übermittlung der bösen IP zusätzlich an AbuseIPdb erweitert. Hat heute schon 14 IPs gemeldet.

@Ganzjahresgriller: Ging die Frage von dir an mich? Wenn ja, soll ich das in diesem Thread posten oder lieber was eigenes?

[unknown] I did not use root for the cron job. Is that the issue?

Yes, root rights are required to apply iptables rules

[unknown] I did not use root for the cron job. Is that the issue?

Yes, root rights are required to apply iptables rules

DocFraggle · 2025-04-01T14:20:24+00:00

curiosity Yes, root rights are required to apply iptables rules

What he said

maybl8 · 2025-04-01T15:37:00+00:00

DocFraggle OK I removed the cron job as the user and re added it as root user.
I will now wait for 5 hours and see if that works.

I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?

DocFraggle · 2025-04-01T15:43:27+00:00

maybl8 I will now wait for 5 hours and see if that works.

OK, 20:00 will be the next run

maybl8 I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?

No, you can ignore this.

curiosity · 2025-04-01T16:01:15+00:00

DocFraggle

Ups, das sollte eigentlich die Frage von @maybl8 beantworten. Aber da ist wohl was schief gelaufen mit mein Posting. Dummerweise kann man das aber leider nicht mehr editieren.

semaf · 2025-04-01T21:45:39+00:00

Wie ist es wenn wir aus SASL Logins aus den mailcow logs abgreifen, diese
in die iptables setzen wenn Benutzer unbekannt ist? Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?

DocFraggle · 2025-04-02T06:28:21+00:00

semaf Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?

Ja, normales Grundrauschen. Sollte aber von Fail2Ban geregelt werden, da braucht man nichts extra machen

maybl8 · 2025-04-02T11:02:48+00:00

DocFraggle
Checked my blacklist file this morning . Date hasn’t changed so I don’t think the cron job is working for me.

-rw-r--r--  1 root root 142377 Apr  1 11:29 abuseipdb_blacklist.txt

I changed it to run as root.

[demo@mail tmp]$ sudo crontab -l
[sudo] password for demo:
0 */5 * * * /etc/iptables/abuseipdb.sh

[demo@mail tmp]$ cd /etc/iptables
[demo@mail iptables]$ ls
abuseipdb.sh  empty.rules  ip6tables.rules  iptables.rules  simple_firewall.rules

DocFraggle · 2025-04-02T11:10:22+00:00

Hmm, please change the crontab entry to:

0 */5 * * * /etc/iptables/abuseipdb.sh 1>/var/log/abuseipdb.log 2>&1

This will create a log file (/var/log/abuseipdb.log) which includes potential error messages. Check it after the next run (15:00)

maybl8 · 2025-04-02T11:17:46+00:00

DocFraggle Thanks I’ll let you know the result. Shouldn’t it run sooner than that?
It is 7:14 am here EDT
I thought the cronjob is running every 5 hours.
So it would run at:
12:00 AM
5:00 AM
10:00 AM
3:00 PM (15:00)
8:00 PM (20:00)
Then 01:00 AM the next day.

DocFraggle · 2025-04-02T11:28:27+00:00

Yes, 3pm = 15:00, it’s 13:29 in Germany currently

So your next run at 10am