Feature Request: Improved Fail2Ban IP List Management

zeronemo

Hello mailcow community,

I’m looking for a way to better manage the Fail2Ban banned IP list in the mailcow admin panel. Currently, the list can become very long, which causes performance issues in the browser.

I would like to know if there are any existing solutions or workarounds to:

Sort the banned IP list: It would be helpful to sort the list by IP address, ban time, or other criteria.
Implement pagination or limit the number of displayed entries: This would prevent the browser from loading the entire list at once, improving performance.
Filter the list: Being able to filter the list based on specific criteria (e.g., ban time, IP range) would make it easier to find specific entries.
If these features are not currently available, I would like to request that they be considered for future updates. Managing long banned IP lists is crucial for maintaining server security and performance, and these improvements would greatly enhance the user experience.

Thank you for your time and consideration.

Best regards,

maybl8

This is what I do using iptables.
I run these commands to block the ip range. You don’t have to block whole range like I do but I haven’t had an issue yet doing this.

[demo@mail ~]$ sudo iptables -I DOCKER-USER -s 3.142.0.0/16 -j DROP
[demo@mail ~]$ sudo iptables-save -f /etc/iptables/iptables.rules
[demo@mail ~]$ sudo iptables-restore /etc/iptables/iptables.rules

Then I monitor it using this command:

very 5.0s: iptables -n -v -L DOCKER-USER | grep -v "0     0"             mail: 17:46:57
                                                                           in 0.008s (0)
Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2  1361 DROP       0    --  *      *       192.42.0.0/16        0.0.0.0/0
    6   865 DROP       0    --  *      *       69.164.0.0/16        0.0.0.0/0
    1   131 DROP       0    --  *      *       89.187.0.0/16        0.0.0.0/0
    6   304 DROP       0    --  *      *       80.94.0.0/16         0.0.0.0/0
   24  1440 DROP       0    --  *      *       159.89.0.0/16        0.0.0.0/0
    4   240 DROP       0    --  *      *       92.255.0.0/16        0.0.0.0/0
 6366 2615K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

zeronemo

The only problem is that I’ve been doing IP range blocking from the start, on a /16 basis, for 1 year. But I’m talking about the web interface now, where I ![have](https://) to scroll down, and I don’t know how long the browser will handle it, or if it will freeze or mysql error
something so.

Anyway.. Can you tell me how to access the Fail2ban SSH interface? I was able to access a certain part of Mailcow like this: docker exec -it mailcowdockerized-nginx-mailcow-1 sh. Thanks, Z.

Can you tell me how to access the Fail2ban SSH interface? I was able to access a certain part of Mailcow like this: docker exec -it mailcowdockerized-nginx-mailcow-1 sh. Thanks, Z.

DocFraggle

zeronemo how to access the Fail2ban SSH interface

There is no “interface”, just look at the iptables on your host system

iptables -nL MAILCOW | less

ETNyx

Api seems to have list of bans available for you to process as you see fit.

zeronemo

I need to emphasize that I’m not trying to check SSH or log files. I’m using the mailcow web interface precisely because it provides a convenient way to view and interact with banned IPs, including one-click WHOIS lookups and information. My question is, why can’t this interface be improved to handle large lists of IPs more efficiently? Instead of displaying millions of IPs in a single, unmanageable list, can’t we implement sorting, pagination, or filtering to prevent browser crashes? 🙂

mlcwuser

zeronemo I need to emphasize that I’m not trying to check SSH or log files. I’m using the mailcow web interface precisely because it provides a convenient way to view and interact with banned IPs

Yes, as of now what you want is not possible in the WebUI, as you have already noticed yourself, and that is why other members of the forum have shared how to achieve similar things in other ways.

The majority of users in this forum are not developers, so if you have ideas for features that would improve the UI or other aspects of Mailcow, it might be better to open a feature request on GitHub: mailcow/mailcow-dockerizedissues

However, I would also like to say that it probably makes little sense to put a lot of effort into things like manual filtering and searching of ban lists directly in Mailcow, but if anything, maybe add more fine-grained control over how fail2ban handles bans, although most of this is already there, and just increasing the bantime to e.g. a week will already significantly reduce the noise.

What would make more sense, imho, would be to add a UI to add and manage external blocklists.

Reasoning:

Nobody has the time to manually check and block IPs and manually maintain blocklists. This is a Sisyphean task as the attacks come in waves and the IP addresses / IP ranges are constantly changing. This is something you want to outsource and automate as much as possible, unless you have the time and inclination to spend all day manually checking and blocking IPs. 😉
For log management and alerts there are already external solutions like Greylog, Grafana Loki etc. that will always do a better job than what Mailcow will ever be able to offer, which of course doesn’t mean that they shouldn’t continue to improve the UI or add things that make sense and can be done with reasonable effort. 🙂

zeronemo

Nobody has time to manually check and block IP addresses, and manually maintain blocklists.

Even though I sometimes check where xy attack came from.

Nobody said that the goal is to manually check the bans, please read back.

I wrote about the web GUI because it lists all the bans in one line, which I think will cause problems with web loading in the future. Besides, I have /16 range bans for 1 year for 1 attempt.

Regards,
Z.

maybl8

I like what you did with banning for 1 year.
I have implemented that and I see this now.


See a list of banned IPs below: network (remaining ban time) - [actions].
IPs queued to be unbanned will be removed from the active ban list within a few seconds.
Red labels indicate active permanent bans by blacklisting.

http://mail.dccathome.com/f2b-banlist?id=9a48875e-1f0b-4f87-bb44-593f3411c82e
 111.91.0.0/16 (8756h 47m 25s) - [unban] [whitelist] [blacklist (needs restart)]

 183.233.0.0/16 (8756h 48m 05s) - [unban] [whitelist] [blacklist (needs restart)]

 31.141.0.0/16 (8756h 48m 51s) - [unban] [whitelist] [blacklist (needs restart)]

 185.196.0.0/16 (8757h 10m 25s) - [unban] [whitelist] [blacklist (needs restart)]

My question is should I Blacklist them?
And does that ban them permanently?
I was putting them in the iptables drop list so they wouldn’t even get to the mailcow server.
Showing up in this list does that do the same thing or Blacklisting them does that do the same thing?
Thanks

zeronemo

You can add them to the blacklist; this blocks the Postfix part, the Dovecot parts, and I believe the admin interface as well within Docker. In my case, it even blocked SSH. However, it doesn’t block local Apache websites. I also use an external Fail2Ban, which blocks everything, but the mailcow within Docker also blocks properly. I don’t think you need to add them to iptables because mailcow adds them there directly, if I’m not mistaken. Best regards, Z.

ETNyx

I feel this thread now need little bit of opposition for future readers. Every one should consider if it’s a good idea to set-up Mailcow netfilter to ban /16 for one year.

Let’s take @maybl8 (s) first hits, yes first 3 bans are for EU/US based most likely fine, but last one can be problematic if you are EU based. Let’s examine IP allocation by state
₁₅% spain (₁₀ 000 IPs)
₁₀% switzerland (₆ 500 IPs)
₇% germany (₄ 600 IPs)

Yes, this range also contains allocation to more problematic states like Russia, Ukraine, Uzbekistan, Malaysia, Singapore, Syria, Iran and so

Now let’s look for same by ASNs
₄% AS39572 (₂ 500 IPs) DataWeb Global Group B.V. seems like Netherlands privet hosting services.
₂% AS16086 (₁ 300 IPs), DNA Finland seems like Finland ISP
₂% AS25375 (₁ 300 IPs), Leucom Stafag / Leucom Schlatter AG seems like Switzerland ISP
₂% AS39878 (₁ 300 IPs) PR-Link Internet seems like Austria ISP

Yes you enforce ban for let’s say some Middle east bot-net and maybe by right, but you also ban multiple services that does not do any wrong, in first ASN case even possible legit mail servers in paid hosting. And next three could be your users home ISP,…

So once again everyone should consider if 1 year ban for /16 is a good solution for him/her.

DocFraggle

ETNyx So once again everyone should consider if 1 year ban for /16 is a good solution for him/her.

I totally agree, using /16 per default isn’t a good idea

zeronemo

ETNyx

I block them this way because I know what I’m doing. I’m not expecting emails from any of the places these hackers originate from. I hate them from the /16 range. I only give out my email to a few people… but if they say it doesn’t work, I can easily remove them from the block list. It’s that simple. I’m not an email service provider. 😛

maybl8

@ETNyx You are correct that banning some ip ranges could be problematic for some people. For example banning email coming from some Germany IP’s could block you from getting mail from the Bayer Company. They are based in Germany. You would have to whitelist their ip’s but maybe all other Germany IP’s could be banned.
I tried to have a geo ip process but I couldn’t find one that I could work with Mailcow. I personally don’t need to get mail from China , and many other Countries.
What I would say is check the IP’s that you know come from legitimate companies or people you know and exclude them.
An email server sometimes requires attention to manage so if you run one that is one of the jobs you should be doing.
An automated ban list would be great to implement since there are people out there that maintain known spam lP lists. That would be a nice feature in Mailcow also.
Thanks

ETNyx

maybl8
What you are suggestion is quiet lot of work, like whitelisting IP if know,.. and problem is when you ban /16 how you know what to whitelist and even so it’s often after problem occur, after ban has been applied and this false-positive ban in /16 make problem,… This is not suitable for me.

Do not know how MC netfilter hold up under pressure, but in classic fail2ban I got about 15k targeted bans (ipv4/32), for mail server it is not big problem,…

If you realy need to, you can make own firewall on host (in front of MC) and for example utilize maxmid geoip database to filter for example china, also it should not be hard to make new “backlist” in rspamd for country like in multimap.conf COUNTRY_BL { type = "country"; map = "${LOCAL_CONFDIR}/local.d/country_bl.map"; score = 12; description = "List of countries with heavy spam usage"; } it will be much less work to always revert it before update, make update and make it again in stead of looking for what have been ban every day,…

Edit: example for geoip and iptables