New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is this a network issue? I need your help...
Not sure if this is a network issue, your ideas are welcome...
Running a mailserver on a Hetzner dedi, Dovecot is listening on port 993 and 143.
For the majority of users, it works flawlessly, they can connect to their email account. A TCP traceroute looks something like this:
Other users, sitting on a different network, cannot connect ("Server not found or not answering"). A TCP traceroute looks something like this:
Please notice the !P on the last hop: Protocol unreachable.
- No firewall settings on port 993
- Dovecot has not settings to prevent any connection.
- There is at least 1 user who had the problem at one point, and it was working 2 days later (without any changes on my side).
Any idea?.
Comments
Looks like a firewall issue. Are you sure there is no rule that rejects packet? It may be not specific for a 993/tcp port
Please check the output of
sudo iptables-save | grep REJECT
orsudo nft list ruleset | grep \ reject
You are right. There were a lot of REJECTS in the firewall for port 22 and some for port 993, all coming from fail2ban. I cleaned it up and hope it will work now. Thank your!
It is a temporary fix - please configure your fail2ban properly, it seems like it is accidentally banning valid clients.
I concur, fail2ban is an useful tool but can misbehave badly if not configured properly.
I suggest you use only keys, change SSH port and remove fail2ban altogether, just configure the apps to give a cooldown of a minute or more after 3 failed login attempts, that would disable bruteforce and solve the problem with false positives.
I get your point. This time, however, I suspect the blocked users to be the "culprits", having insisted to log in with wrong usernames/passwords quite too often.
I appreciate your opinions