GermanDocFraggle
@maybl8
As I can see in your crontab, you want to run /etc/iptables/abuseipdb.sh
Is this the correct path? I can’t see the directory you’re running it from manually
What about my question?
maybl8 I have an ip6tables.rules file but it only has this in it:
What’s the output of
ip6tables -nL
DocFraggle not sure how to answer your path question.
Here is the ip6tables command
[demo@mail iptables]$ sudo ip6tables -nL
[sudo] password for demo:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ts-input all -- ::/0 ::/0
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- ::/0 ::/0
DOCKER-FORWARD all -- ::/0 ::/0
ts-forward all -- ::/0 ::/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:587
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:465
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:25
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:4190
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:995
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:993
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:143
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::b tcp dpt:110
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::a tcp dpt:443
ACCEPT tcp -- ::/0 fd4d:6169:6c63:6f77::a tcp dpt:80
DROP all -- ::/0 ::/0
DROP all -- ::/0 ::/0
Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER all -- ::/0 ::/0
DOCKER all -- ::/0 ::/0
Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT all -- ::/0 ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- ::/0 ::/0 ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT all -- ::/0 ::/0
DOCKER-ISOLATION-STAGE-1 all -- ::/0 ::/0
DOCKER-BRIDGE all -- ::/0 ::/0
ACCEPT all -- ::/0 ::/0
ACCEPT all -- ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- ::/0 ::/0
DOCKER-ISOLATION-STAGE-2 all -- ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- ::/0 ::/0
DROP all -- ::/0 ::/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- ::/0 ::/0
Chain ts-forward (1 references)
target prot opt source destination
MARK all -- ::/0 ::/0 MARK xset 0x40000/0xff0000
ACCEPT all -- ::/0 ::/0 mark match 0x40000/0xff0000
ACCEPT all -- ::/0 ::/0
Chain ts-input (1 references)
target prot opt source destination
ACCEPT all -- fd7a:115c:a1e0::e601:2f68 ::/0
ACCEPT all -- ::/0 ::/0
ACCEPT udp -- ::/0 ::/0 udp dpt:41641
Is your script “abuseipdb.sh” located in the directory /etc/iptables/ or is it stored in another directory?[demo@mail /]$ ls -la /etc/iptables
total 36
drwxr-xr-x 2 root root 4096 Mar 31 15:12 .
drwxr-xr-x 104 root root 12288 Apr 1 08:00 ..
-rwxr-xr-x 1 root root 4570 Mar 29 12:48 abuseipdb.sh
lrwxrwxrwx 1 root root 36 Mar 22 13:58 empty.rules -> ../../usr/share/iptables/empty.rules
-rw-r--r-- 1 root root 105 Mar 22 13:58 ip6tables.rules
-rw-r--r-- 1 root root 7388 Mar 25 15:56 iptables.rules
lrwxrwxrwx 1 root root 46 Mar 22 13:58 simple_firewall.rules -> ../../usr/share/iptables/simple_firewall.rules
Where would it be disabled at?
maybl8 Where would it be disabled at?
Maybe you followed this documentation? 
Disable IPv6 - mailcow: dockerized documentation docs.mailcow.email
I don’t know 
About the cronjob, you entered that line via crontab -e as the root user?
DocFraggle Here is the section in the docker-compose.yml
networks:
mailcow-network:
driver: bridge
driver_opts:
com.docker.network.bridge.name: br-mailcow
enable_ipv6: true
ipam:
driver: default
config:
- subnet: ${IPV4_NETWORK:-172.22.1}.0/24
- subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
I did not use root for the cron job. Is that the issue?
Wo genau hängt denn bei Dir jetzt ein http Plugin drin?
Das Plugin ist von Crowdsec -> 
HTTP Plugin | CrowdSec docs.crowdsec.net
bisher hatte ich das für die Benachrichtung über Telegram benutzt und jetzt für die Übermittlung der bösen IP zusätzlich an AbuseIPdb erweitert. Hat heute schon 14 IPs gemeldet.
@Ganzjahresgriller: Ging die Frage von dir an mich? Wenn ja, soll ich das in diesem Thread posten oder lieber was eigenes?
[unknown] I did not use root for the cron job. Is that the issue?
Yes, root rights are required to apply iptables rules
[unknown] I did not use root for the cron job. Is that the issue?
Yes, root rights are required to apply iptables rules
curiosity Yes, root rights are required to apply iptables rules
What he said
DocFraggle OK I removed the cron job as the user and re added it as root user.
I will now wait for 5 hours and see if that works.
I don’t use ipv6 so should I be concerned about the error when running the script or should we fix that?
Ups, das sollte eigentlich die Frage von @maybl8 beantworten. Aber da ist wohl was schief gelaufen mit mein Posting. 
Dummerweise kann man das aber leider nicht mehr editieren.
Wie ist es wenn wir aus SASL Logins aus den mailcow logs abgreifen, diese
in die iptables setzen wenn Benutzer unbekannt ist? Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?
semaf Bei mir werden random benutzer getestet die gar nicht im System existieren. Habt ihr das auch?
Ja, normales Grundrauschen. Sollte aber von Fail2Ban geregelt werden, da braucht man nichts extra machen
DocFraggle
Checked my blacklist file this morning . Date hasn’t changed so I don’t think the cron job is working for me.
-rw-r--r-- 1 root root 142377 Apr 1 11:29 abuseipdb_blacklist.txt
I changed it to run as root.
[demo@mail tmp]$ sudo crontab -l
[sudo] password for demo:
0 */5 * * * /etc/iptables/abuseipdb.sh
[demo@mail tmp]$ cd /etc/iptables
[demo@mail iptables]$ ls
abuseipdb.sh empty.rules ip6tables.rules iptables.rules simple_firewall.rules
Hmm, please change the crontab entry to:
0 */5 * * * /etc/iptables/abuseipdb.sh 1>/var/log/abuseipdb.log 2>&1
This will create a log file (/var/log/abuseipdb.log) which includes potential error messages. Check it after the next run (15:00)
DocFraggle Thanks I’ll let you know the result. Shouldn’t it run sooner than that?
It is 7:14 am here EDT
I thought the cronjob is running every 5 hours.
So it would run at:
12:00 AM
5:00 AM
10:00 AM
3:00 PM (15:00)
8:00 PM (20:00)
Then 01:00 AM the next day.
Yes, 3pm = 15:00, it’s 13:29 in Germany currently
So your next run at 10am
DocFraggle No log at 10:00 am
I am going to do some research on crontab on this OS
maybl8 systemctl status cron in most cases
DocFraggle So it looks like I had to run something called cronie and start that as a service.
I then get this:
[demo@mail iptables]$ sudo systemctl status cronie
● cronie.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/cronie.service; enabled; preset: disabled)
Active: active (running) since Wed 2025-04-02 10:37:27 EDT; 2min 26s ago
Invocation: b1f4eefde6cb40748b9875beb211259f
Main PID: 1986122 (crond)
Tasks: 1 (limit: 38332)
Memory: 908K (peak: 1.6M)
CPU: 6ms
CGroup: /system.slice/cronie.service
└─1986122 /usr/sbin/crond -n
Apr 02 10:37:27 mail systemd[1]: Started Command Scheduler.
Apr 02 10:37:27 mail crond[1986122]: (CRON) STARTUP (1.7.2)
Apr 02 10:37:27 mail crond[1986122]: (CRON) INFO (Syslog will be used instead of sendmail.)
Apr 02 10:37:27 mail crond[1986122]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 34% if used.)
Apr 02 10:37:27 mail crond[1986122]: (CRON) INFO (running with inotify support)
From my reading the preferred method to do is , is use systemd timer.