Fail2ban: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
(Created page with "# Install fail2ban # yum install fail2ban -y # Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL # cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>...")
 
No edit summary
 
(36 intermediate revisions by the same user not shown)
Line 1: Line 1:
# Install fail2ban
[[Configuration#Fail2ban|Back]]<br>
Install fail2ban
# yum install fail2ban -y<br>
Create the filter definition files in filter.d
# cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL<br>
# cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL<br>
# cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL<br>
# cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL<br>
# cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL<br>
Create jail.local
# cat >>/etc/fail2ban/jail.d/jail.local << EOL
[qt-sub-passfail]
enabled = true
filter  = qt-sub-passfail
action  = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto<br>
[qt-sub-usernotfound]
enabled = true
filter  = qt-sub-usernotfound
action  = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto<br>
[qt-smtps-passfail]
enabled  = true
filter  = qt-smtps-passfail
action  = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto<br>
[qt-smtps-usernotfound]
enabled = true
filter = qt-smtps-usernotfound
action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto<br>
[qt-smtp-authnotavail]
enabled = true
filter = qt-smtp-authnotavail
action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto
EOL


# yum install fail2ban -y
  In order to log SMTPTX (transactions) do the following:
 
  1) # qmailctl stop
# Create the filter definition files in filter.d
  2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp  
 
  3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:<span style="color:red">
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL
 
# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
 
# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
 
# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL
 
# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
 
# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL
 
# Add filter definitions to jail.conf
 
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
 
# cat >>/etc/fail2ban/jail.conf << EOL
 
[qmail-submission-passfail]
enabled = true
filter  = qmail-submission-passfail
action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
 
[qmail-submission-usernotfound]
enabled = true
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
 
[qmail-smtps-passfail]
enabled  = true
filter  = qmail-smtps-passfail
action  = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
 
[qmail-smtps-usernotfound]
enabled = true
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
 
[qmail-smtp-authnotavail]
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto
 
EOL
 
# Set up Authorization not available
 
  In order to log SMTP transactions do the following:
  1) # qmailctl stop
  2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp  
  3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:  
     
       #!/bin/sh
       #!/bin/sh
       LOGSIZE=`cat /var/qmail/control/logsize`
       LOGSIZE=`cat /var/qmail/control/logsize`
Line 115: Line 89:
         /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
         /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
         '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
         '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
         '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
         '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1</span>
  4) # qmailctl start && qmailctl cdb
  4) # qmailctl start && qmailctl cdb
  5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
  5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
 
# Start fail2ban
 
# systemctl start fail2ban
 
 
# Script to check blocking
 
# cat >./f2bstat << EOL
#!/bin/bash
 
for FILTER in qmail-submission-passfail \
              qmail-submission-usernotfound \
              qmail-smtps-passfail \
              qmail-smtps-usernotfound \
              qmail-smtp-authnotavail
do
  fail2ban-client status $FILTER
  echo ""
done
 
EOL
 
# Set permissions & run script (w/output sample)
 
# chmod 755 ./f2bstat && ./f2bstat


qmail-submission-passfail:
Start fail2ban
# systemctl start fail2ban


Status for the jail: qmail-submission-passfail
Script to check blocking
|- Filter
# tee -a /usr/local/bin/f2bstat<<EOL
|  |- Currently failed: 1
#!/bin/bash
|  |- Total failed:    1
for JAIL in qt-sub-passfail \\
|  `- File list:        /var/log/maillog
            qt-sub-usernotfound \\
`- Actions
            qt-smtps-passfail \\
  |- Currently banned: 0
            qt-smtps-usernotfound \\
  |- Total banned:     0
            qt-smtp-authnotavail
  `- Banned IP list:
do
    fail2ban-client status \$JAIL
     echo ""
done
EOL


qmail-submission-usernotfound:
Set permissions & run script (w/output sample)
# chmod 755 /usr/local/bin/f2bstat && f2bstat


Status for the jail: qmail-submission-usernotfound
qt-sub-passfail:<br>
|- Filter
Status for the jail: qt-sub-passfail
|  |- Currently failed: 7
|- Filter
|  |- Total failed:    7
|  |- Currently failed: 1
|  `- File list:        /var/log/maillog
|  |- Total failed:    1
`- Actions
|  `- File list:        /var/log/maillog
  |- Currently banned: 0
`- Actions
  |- Total banned:    0
    |- Currently banned: 0
  `- Banned IP list:
    |- Total banned:    0
    `- Banned IP list:


qmail-smtps-passfail:
qt-sub-usernotfound:<br>
Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:    7
|  `- File list:        /var/log/maillog
`- Actions
    |- Currently banned: 0
    |- Total banned:    0
    `- Banned IP list:


Status for the jail: qmail-smtps-passfail
qt-smtps-passfail:<br>
|- Filter
Status for the jail: qmail-smtps-passfail
|  |- Currently failed: 0
|- Filter
|  |- Total failed:    0
|  |- Currently failed: 0
|  `- File list:        /var/log/maillog
|  |- Total failed:    0
`- Actions
|  `- File list:        /var/log/maillog
  |- Currently banned: 0
`- Actions
  |- Total banned:    0
    |- Currently banned: 0
  `- Banned IP list:
    |- Total banned:    0
    `- Banned IP list:


qmail-smtps-usernotfound:
qt-smtps-usernotfound:<br>
Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:    0
|  `- File list:        /var/log/maillog
`- Actions
    |- Currently banned: 2
    |- Total banned:    2
    `- Banned IP list:   5.34.207.174 212.70.149.72


Status for the jail: qmail-smtps-usernotfound
qt-smtp-authnotavail:<br>
|- Filter
Status for the jail: qmail-smtp-authnotavail
|  |- Currently failed: 0
|- Filter
|  |- Total failed:    0
|  |- Currently failed: 0
|  `- File list:        /var/log/maillog
|  |- Total failed:    0
`- Actions
|  `- File list:        /var/log/qmail/smtptx/current
  |- Currently banned: 2
`- Actions
  |- Total banned:    2
    |- Currently banned: 0
  `- Banned IP list:   5.34.207.174 212.70.149.72
    |- Total banned:    0
    `- Banned IP list:
=== Note ===


qmail-smtp-authnotavail:
== Basic commands ==
* Check banned IPs:
Format: fail2ban-client get 'jail' banned
  # fail2ban-client get qt-smtp-authnotavail banned
  ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,]
* How to unblock an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119
  3
* How to block an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119
  3
* Help:
  # fail2ban-client -h


Status for the jail: qmail-smtp-authnotavail
== References ==
|- Filter
[1] fail2ban homepage: http://www.fail2ban.org
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:       /var/log/qmail/smtptx/current
`- Actions
  |- Currently banned: 0
  |- Total banned:    0
  `- Banned IP list:

Latest revision as of 09:13, 19 October 2024

Back

Install fail2ban
# yum install fail2ban -y

Create the filter definition files in filter.d
# cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

Create jail.local
# cat >>/etc/fail2ban/jail.d/jail.local << EOL
[qt-sub-passfail]
enabled = true
filter  = qt-sub-passfail
action  = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qt-sub-usernotfound]
enabled = true
filter  = qt-sub-usernotfound
action  = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qt-smtps-passfail]
enabled  = true
filter   = qt-smtps-passfail
action   = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qt-smtps-usernotfound]
enabled = true
filter = qt-smtps-usernotfound
action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qt-smtp-authnotavail]
enabled = true
filter = qt-smtp-authnotavail
action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto
EOL

In order to log SMTPTX (transactions) do the following:
 1) # qmailctl stop
 2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
 3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
 4) # qmailctl start && qmailctl cdb
 5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal

Start fail2ban
# systemctl start fail2ban

Script to check blocking
# tee -a /usr/local/bin/f2bstat<<EOL
#!/bin/bash
for JAIL in qt-sub-passfail \\
            qt-sub-usernotfound \\
            qt-smtps-passfail \\
            qt-smtps-usernotfound \\
            qt-smtp-authnotavail
do
   fail2ban-client status \$JAIL
   echo ""
done
EOL

Set permissions & run script (w/output sample)
# chmod 755 /usr/local/bin/f2bstat && f2bstat

qt-sub-passfail:

Status for the jail: qt-sub-passfail
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qt-sub-usernotfound:

Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qt-smtps-passfail:

Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qt-smtps-usernotfound:

Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   5.34.207.174 212.70.149.72

qt-smtp-authnotavail:

Status for the jail: qmail-smtp-authnotavail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Note

Basic commands

  • Check banned IPs:
Format: fail2ban-client get 'jail' banned
  # fail2ban-client get qt-smtp-authnotavail banned
  ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,]
  • How to unblock an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119
  3
  • How to block an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119
  3
  • Help:
  # fail2ban-client -h

References

[1] fail2ban homepage: http://www.fail2ban.org

Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=Fail2ban&oldid=1343"