Fail2ban: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
(Created page with "# Install fail2ban # yum install fail2ban -y # Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL # cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>...")
 
No edit summary
Line 1: Line 1:
# Install fail2ban
# Install fail2ban


# yum install fail2ban -y
# yum install fail2ban -y


# Create the filter definition files in filter.d
# Create the filter definition files in filter.d


# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
[Definition]
#Looks for failed auth outside TLS to SMTP
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
[Definition]
[Definition]
#Looks for failed password logins to SMTP
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
[Definition]
#Looks for failed password logins to SMTP
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
ignoreregex =
EOL
EOL


# Add filter definitions to jail.conf
# Add filter definitions to jail.conf


# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`


# cat >>/etc/fail2ban/jail.conf << EOL
# cat >>/etc/fail2ban/jail.conf << EOL


[qmail-submission-passfail]
[qmail-submission-passfail]
enabled = true
enabled = true
filter  = qmail-submission-passfail
filter  = qmail-submission-passfail
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
logpath = /var/log/maillog
maxretry = 3
maxretry = 3
bantime  = 86400
bantime  = 86400
findtime = 3600
findtime = 3600
backend = auto
backend = auto


[qmail-submission-usernotfound]
[qmail-submission-usernotfound]
enabled = true
enabled = true
filter  = qmail-submission-usernotfound
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
logpath = /var/log/maillog
maxretry = 3
maxretry = 3
bantime  = 86400
bantime  = 86400
findtime = 3600
findtime = 3600
backend = auto
backend = auto


[qmail-smtps-passfail]
[qmail-smtps-passfail]
enabled  = true
enabled  = true
filter  = qmail-smtps-passfail
filter  = qmail-smtps-passfail
action  = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
action  = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
logpath  = /var/log/maillog
maxretry = 3
maxretry = 3
bantime  = 86400
bantime  = 86400
findtime = 3600
findtime = 3600
backend = auto
backend = auto


[qmail-smtps-usernotfound]
[qmail-smtps-usernotfound]
enabled = true
enabled = true
filter = qmail-smtps-usernotfound
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
logpath = /var/log/maillog
maxretry = 3
maxretry = 3
bantime  = 86400
bantime  = 86400
findtime = 3600
findtime = 3600
backend = auto
backend = auto<br>
[qmail-smtp-authnotavail]
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto<br>
EOL


[qmail-smtp-authnotavail]
# Set up Authorization not available
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto
 
EOL
 
# Set up Authorization not available


   In order to log SMTP transactions do the following:
   In order to log SMTP transactions do the following:
Line 119: Line 117:
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal


# Start fail2ban
# Start fail2ban


# systemctl start fail2ban
# systemctl start fail2ban




# Script to check blocking
# Script to check blocking


# cat >./f2bstat << EOL
# cat >./f2bstat << EOL
#!/bin/bash
#!/bin/bash


for FILTER in qmail-submission-passfail \
for FILTER in qmail-submission-passfail \
               qmail-submission-usernotfound \
               qmail-submission-usernotfound \
               qmail-smtps-passfail \
               qmail-smtps-passfail \
               qmail-smtps-usernotfound \
               qmail-smtps-usernotfound \
               qmail-smtp-authnotavail
               qmail-smtp-authnotavail
do
do
  fail2ban-client status $FILTER
    fail2ban-client status $FILTER
  echo ""
    echo ""
done
done<br>
 
EOL
EOL


# Set permissions & run script (w/output sample)
# Set permissions & run script (w/output sample)


# chmod 755 ./f2bstat && ./f2bstat
# chmod 755 ./f2bstat && ./f2bstat


qmail-submission-passfail:
qmail-submission-passfail:


Status for the jail: qmail-submission-passfail
Status for the jail: qmail-submission-passfail
|- Filter
|- Filter
|  |- Currently failed: 1
|  |- Currently failed: 1
|  |- Total failed:    1
|  |- Total failed:    1
|  `- File list:        /var/log/maillog
|  `- File list:        /var/log/maillog
`- Actions
`- Actions
  |- Currently banned: 0
    |- Currently banned: 0
  |- Total banned:    0
    |- Total banned:    0
  `- Banned IP list:
    `- Banned IP list:


qmail-submission-usernotfound:
qmail-submission-usernotfound:


Status for the jail: qmail-submission-usernotfound
Status for the jail: qmail-submission-usernotfound
|- Filter
|- Filter
|  |- Currently failed: 7
|  |- Currently failed: 7
|  |- Total failed:    7
|  |- Total failed:    7
|  `- File list:        /var/log/maillog
|  `- File list:        /var/log/maillog
`- Actions
`- Actions
  |- Currently banned: 0
    |- Currently banned: 0
  |- Total banned:    0
    |- Total banned:    0
  `- Banned IP list:
    `- Banned IP list:


qmail-smtps-passfail:
qmail-smtps-passfail:


Status for the jail: qmail-smtps-passfail
Status for the jail: qmail-smtps-passfail
|- Filter
|- Filter
|  |- Currently failed: 0
|  |- Currently failed: 0
|  |- Total failed:    0
|  |- Total failed:    0
|  `- File list:        /var/log/maillog
|  `- File list:        /var/log/maillog
`- Actions
`- Actions
  |- Currently banned: 0
    |- Currently banned: 0
  |- Total banned:    0
    |- Total banned:    0
  `- Banned IP list:
    `- Banned IP list:


qmail-smtps-usernotfound:
qmail-smtps-usernotfound:


Status for the jail: qmail-smtps-usernotfound
Status for the jail: qmail-smtps-usernotfound
|- Filter
|- Filter
|  |- Currently failed: 0
|  |- Currently failed: 0
|  |- Total failed:    0
|  |- Total failed:    0
|  `- File list:        /var/log/maillog
|  `- File list:        /var/log/maillog
`- Actions
`- Actions
  |- Currently banned: 2
    |- Currently banned: 2
  |- Total banned:    2
    |- Total banned:    2
  `- Banned IP list:  5.34.207.174 212.70.149.72
    `- Banned IP list:  5.34.207.174 212.70.149.72


qmail-smtp-authnotavail:
qmail-smtp-authnotavail:


Status for the jail: qmail-smtp-authnotavail
Status for the jail: qmail-smtp-authnotavail
|- Filter
|- Filter
|  |- Currently failed: 0
|  |- Currently failed: 0
|  |- Total failed:    0
|  |- Total failed:    0
|  `- File list:        /var/log/qmail/smtptx/current
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
`- Actions
  |- Currently banned: 0
    |- Currently banned: 0
  |- Total banned:    0
    |- Total banned:    0
  `- Banned IP list:
    `- Banned IP list:

Revision as of 14:59, 26 March 2024

# Install fail2ban
# yum install fail2ban -y
# Create the filter definition files in filter.d
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL
# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL
# Add filter definitions to jail.conf
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
# cat >>/etc/fail2ban/jail.conf << EOL
[qmail-submission-passfail]
enabled = true
filter  = qmail-submission-passfail
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
[qmail-submission-usernotfound]
enabled = true
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
[qmail-smtps-passfail]
enabled  = true
filter   = qmail-smtps-passfail
action   = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
[qmail-smtps-usernotfound]
enabled = true
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto
[qmail-smtp-authnotavail] enabled = true filter = qmail-smtp-authnotavail action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp] logpath = /var/log/qmail/smtptx/current maxretry = 3 bantime = 86400 findtime = 300 backend = auto
EOL
# Set up Authorization not available
  In order to log SMTP transactions do the following:
  1) # qmailctl stop
  2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
  3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file: 
     
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
  4) # qmailctl start && qmailctl cdb
  5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
# Start fail2ban
# systemctl start fail2ban


# Script to check blocking
# cat >./f2bstat << EOL
#!/bin/bash
for FILTER in qmail-submission-passfail \
             qmail-submission-usernotfound \
             qmail-smtps-passfail \
             qmail-smtps-usernotfound \
             qmail-smtp-authnotavail
do
   fail2ban-client status $FILTER
   echo ""
done
EOL
# Set permissions & run script (w/output sample)
  1. chmod 755 ./f2bstat && ./f2bstat
qmail-submission-passfail:
Status for the jail: qmail-submission-passfail
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
qmail-submission-usernotfound:
Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
qmail-smtps-passfail:
Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
qmail-smtps-usernotfound:
Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   5.34.207.174 212.70.149.72
qmail-smtp-authnotavail:
Status for the jail: qmail-smtp-authnotavail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list: