Fail2ban: Difference between revisions
Jump to navigation
Jump to search
(Created page with "# Install fail2ban # yum install fail2ban -y # Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL # cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>...") |
No edit summary |
||
| Line 1: | Line 1: | ||
# Install fail2ban | # Install fail2ban | ||
# yum install fail2ban -y | # yum install fail2ban -y | ||
# Create the filter definition files in filter.d | # Create the filter definition files in filter.d | ||
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL | # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL | ||
[Definition] | [Definition] | ||
#Looks for failed auth outside TLS to SMTP | #Looks for failed auth outside TLS to SMTP | ||
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> | failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL | # cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL | ||
[Definition] | [Definition] | ||
#Looks for failed password logins to SMTP | #Looks for failed password logins to SMTP | ||
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> | failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL | # cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL | ||
[Definition] | [Definition] | ||
#Looks for failed password logins to SMTP | #Looks for failed password logins to SMTP | ||
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> | failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL | # cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL | ||
[Definition] | [Definition] | ||
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> | failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL | # cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL | ||
[Definition] | [Definition] | ||
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> | failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL | # cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL | ||
[Definition] | [Definition] | ||
failregex = vchkpw-submission: vpopmail user not found .*:<HOST> | failregex = vchkpw-submission: vpopmail user not found .*:<HOST> | ||
ignoreregex = | ignoreregex = | ||
EOL | EOL | ||
# Add filter definitions to jail.conf | # Add filter definitions to jail.conf | ||
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` | # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` | ||
# cat >>/etc/fail2ban/jail.conf << EOL | # cat >>/etc/fail2ban/jail.conf << EOL | ||
[qmail-submission-passfail] | [qmail-submission-passfail] | ||
enabled = true | enabled = true | ||
filter = qmail-submission-passfail | filter = qmail-submission-passfail | ||
action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] | action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] | ||
logpath = /var/log/maillog | logpath = /var/log/maillog | ||
maxretry = 3 | maxretry = 3 | ||
bantime = 86400 | bantime = 86400 | ||
findtime = 3600 | findtime = 3600 | ||
backend = auto | backend = auto | ||
[qmail-submission-usernotfound] | [qmail-submission-usernotfound] | ||
enabled = true | enabled = true | ||
filter = qmail-submission-usernotfound | filter = qmail-submission-usernotfound | ||
action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] | action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] | ||
logpath = /var/log/maillog | logpath = /var/log/maillog | ||
maxretry = 3 | maxretry = 3 | ||
bantime = 86400 | bantime = 86400 | ||
findtime = 3600 | findtime = 3600 | ||
backend = auto | backend = auto | ||
[qmail-smtps-passfail] | [qmail-smtps-passfail] | ||
enabled = true | enabled = true | ||
filter = qmail-smtps-passfail | filter = qmail-smtps-passfail | ||
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] | action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] | ||
logpath = /var/log/maillog | logpath = /var/log/maillog | ||
maxretry = 3 | maxretry = 3 | ||
bantime = 86400 | bantime = 86400 | ||
findtime = 3600 | findtime = 3600 | ||
backend = auto | backend = auto | ||
[qmail-smtps-usernotfound] | [qmail-smtps-usernotfound] | ||
enabled = true | enabled = true | ||
filter = qmail-smtps-usernotfound | filter = qmail-smtps-usernotfound | ||
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] | action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] | ||
logpath = /var/log/maillog | logpath = /var/log/maillog | ||
maxretry = 3 | maxretry = 3 | ||
bantime = 86400 | bantime = 86400 | ||
findtime = 3600 | findtime = 3600 | ||
backend = auto | backend = auto<br> | ||
[qmail-smtp-authnotavail] | |||
enabled = true | |||
filter = qmail-smtp-authnotavail | |||
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp] | |||
logpath = /var/log/qmail/smtptx/current | |||
maxretry = 3 | |||
bantime = 86400 | |||
findtime = 300 | |||
backend = auto<br> | |||
EOL | |||
# Set up Authorization not available | |||
# Set up Authorization not available | |||
In order to log SMTP transactions do the following: | In order to log SMTP transactions do the following: | ||
| Line 119: | Line 117: | ||
5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal | 5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal | ||
# Start fail2ban | # Start fail2ban | ||
# systemctl start fail2ban | # systemctl start fail2ban | ||
# Script to check blocking | # Script to check blocking | ||
# cat >./f2bstat << EOL | # cat >./f2bstat << EOL | ||
#!/bin/bash | #!/bin/bash | ||
for FILTER in qmail-submission-passfail \ | for FILTER in qmail-submission-passfail \ | ||
qmail-submission-usernotfound \ | qmail-submission-usernotfound \ | ||
qmail-smtps-passfail \ | qmail-smtps-passfail \ | ||
qmail-smtps-usernotfound \ | qmail-smtps-usernotfound \ | ||
qmail-smtp-authnotavail | qmail-smtp-authnotavail | ||
do | do | ||
fail2ban-client status $FILTER | |||
echo "" | |||
done | done<br> | ||
EOL | |||
EOL | |||
# Set permissions & run script (w/output sample) | # Set permissions & run script (w/output sample) | ||
# chmod 755 ./f2bstat && ./f2bstat | # chmod 755 ./f2bstat && ./f2bstat | ||
qmail-submission-passfail: | qmail-submission-passfail: | ||
Status for the jail: qmail-submission-passfail | Status for the jail: qmail-submission-passfail | ||
|- Filter | |- Filter | ||
| |- Currently failed: 1 | | |- Currently failed: 1 | ||
| |- Total failed: 1 | | |- Total failed: 1 | ||
| `- File list: /var/log/maillog | | `- File list: /var/log/maillog | ||
`- Actions | `- Actions | ||
|- Currently banned: 0 | |||
|- Total banned: 0 | |||
`- Banned IP list: | |||
qmail-submission-usernotfound: | qmail-submission-usernotfound: | ||
Status for the jail: qmail-submission-usernotfound | Status for the jail: qmail-submission-usernotfound | ||
|- Filter | |- Filter | ||
| |- Currently failed: 7 | | |- Currently failed: 7 | ||
| |- Total failed: 7 | | |- Total failed: 7 | ||
| `- File list: /var/log/maillog | | `- File list: /var/log/maillog | ||
`- Actions | `- Actions | ||
|- Currently banned: 0 | |||
|- Total banned: 0 | |||
`- Banned IP list: | |||
qmail-smtps-passfail: | qmail-smtps-passfail: | ||
Status for the jail: qmail-smtps-passfail | Status for the jail: qmail-smtps-passfail | ||
|- Filter | |- Filter | ||
| |- Currently failed: 0 | | |- Currently failed: 0 | ||
| |- Total failed: 0 | | |- Total failed: 0 | ||
| `- File list: /var/log/maillog | | `- File list: /var/log/maillog | ||
`- Actions | `- Actions | ||
|- Currently banned: 0 | |||
|- Total banned: 0 | |||
`- Banned IP list: | |||
qmail-smtps-usernotfound: | qmail-smtps-usernotfound: | ||
Status for the jail: qmail-smtps-usernotfound | Status for the jail: qmail-smtps-usernotfound | ||
|- Filter | |- Filter | ||
| |- Currently failed: 0 | | |- Currently failed: 0 | ||
| |- Total failed: 0 | | |- Total failed: 0 | ||
| `- File list: /var/log/maillog | | `- File list: /var/log/maillog | ||
`- Actions | `- Actions | ||
|- Currently banned: 2 | |||
|- Total banned: 2 | |||
`- Banned IP list: 5.34.207.174 212.70.149.72 | |||
qmail-smtp-authnotavail: | qmail-smtp-authnotavail: | ||
Status for the jail: qmail-smtp-authnotavail | Status for the jail: qmail-smtp-authnotavail | ||
|- Filter | |- Filter | ||
| |- Currently failed: 0 | | |- Currently failed: 0 | ||
| |- Total failed: 0 | | |- Total failed: 0 | ||
| `- File list: /var/log/qmail/smtptx/current | | `- File list: /var/log/qmail/smtptx/current | ||
`- Actions | `- Actions | ||
|- Currently banned: 0 | |||
|- Total banned: 0 | |||
`- Banned IP list: | |||
Revision as of 14:59, 26 March 2024
# Install fail2ban
# yum install fail2ban -y
# Create the filter definition files in filter.d
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL [Definition] failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL [Definition] failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL [Definition] failregex = vchkpw-submission: vpopmail user not found .*:<HOST> ignoreregex = EOL
# Add filter definitions to jail.conf
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
# cat >>/etc/fail2ban/jail.conf << EOL
[qmail-submission-passfail] enabled = true filter = qmail-submission-passfail action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qmail-submission-usernotfound] enabled = true filter = qmail-submission-usernotfound action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qmail-smtps-passfail] enabled = true filter = qmail-smtps-passfail action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qmail-smtps-usernotfound] enabled = true filter = qmail-smtps-usernotfound action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qmail-smtp-authnotavail] enabled = true filter = qmail-smtp-authnotavail action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp] logpath = /var/log/qmail/smtptx/current maxretry = 3 bantime = 86400 findtime = 300 backend = auto
EOL
# Set up Authorization not available
In order to log SMTP transactions do the following:
1) # qmailctl stop
2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp
3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:
#!/bin/sh
LOGSIZE=`cat /var/qmail/control/logsize`
LOGCOUNT=`cat /var/qmail/control/logcount`
exec /usr/bin/setuidgid qmaill \
/usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
'-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
'+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
4) # qmailctl start && qmailctl cdb
5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
# Start fail2ban
# systemctl start fail2ban
# Script to check blocking
# cat >./f2bstat << EOL #!/bin/bash
for FILTER in qmail-submission-passfail \
qmail-submission-usernotfound \
qmail-smtps-passfail \
qmail-smtps-usernotfound \
qmail-smtp-authnotavail
do
fail2ban-client status $FILTER
echo ""
done
EOL
# Set permissions & run script (w/output sample)
- chmod 755 ./f2bstat && ./f2bstat
qmail-submission-passfail:
Status for the jail: qmail-submission-passfail |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qmail-submission-usernotfound:
Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 7 | |- Total failed: 7 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qmail-smtps-passfail:
Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qmail-smtps-usernotfound:
Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: 5.34.207.174 212.70.149.72
qmail-smtp-authnotavail:
Status for the jail: qmail-smtp-authnotavail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/qmail/smtptx/current `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: