QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy | Latest revision

Fail2Ban

(Difference between revisions)

(add another filter)
m (tidy up rule)
Line 15: Line 15:
To work with Qmail/vpopmail, a filter and jail should be defined.
To work with Qmail/vpopmail, a filter and jail should be defined.
* Create a filter
* Create a filter
-
       # vi /etc/fail2ban/filter.d/vpopmail-fail.conf
+
       # vi /etc/fail2ban/filter.d/password-fail.conf
       [Definition]
       [Definition]
       #Looks for failed password logins to SMTP
       #Looks for failed password logins to SMTP
Line 21: Line 21:
       ignoreregex =
       ignoreregex =
-
       # vi /etc/fail2ban/filter.d/qmail-pop3.conf  
+
       # vi /etc/fail2ban/filter.d/username-notfound.conf  
       [Definition]
       [Definition]
       # Option: failregex
       # Option: failregex
Line 38: Line 38:
* Create a jail (add these lines)
* Create a jail (add these lines)
       # vi /etc/fail2ban/jail.conf   
       # vi /etc/fail2ban/jail.conf   
-
       [vpopmail-fail]
+
       [password-fail]
       enabled  = true
       enabled  = true
-
       filter  = vpopmail-fail
+
       filter  = password-fail
       action  = iptables[name=SMTP, port=smtp, protocol=tcp]
       action  = iptables[name=SMTP, port=smtp, protocol=tcp]
       logpath  = /var/log/maillog
       logpath  = /var/log/maillog
-
       maxretry = 1
+
       maxretry = 3
-
       bantime  = 604800
+
       bantime  = 86400
       findtime = 3600
       findtime = 3600
-
       [qmail-pop3]
+
       [username-notfound]
       enable = true
       enable = true
-
       filter = qmail-pop3
+
       filter = username-notfound
-
       action = shorewall
+
       action = iptables[name=SMTP, port=smtp, protocol=tcp]
-
      sendmail[name="Qmail Pop3 user fail", dest=changethis@yourdomain.com]
+
       logpath = /var/log/maillog
-
       logpath = /your/path/to/pop3/logs
+
       maxretry = 3
       maxretry = 3
-
       bantime = 600
+
       bantime = 86400
 +
      findtime = 3600
* Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):
* Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):
-
       # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf
+
       # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
       Failregex
       Failregex
Line 71: Line 71:
* Check the status of a jail:
* Check the status of a jail:
-
       # fail2ban-client status vpopmail-fail
+
       # fail2ban-client status password-fail
-
       Status for the jail: vpopmail-fail
+
       Status for the jail: password-fail
       |- filter
       |- filter
       |  |- File list:        /var/log/maillog
       |  |- File list:        /var/log/maillog

Revision as of 09:05, 8 March 2011

Basic fail2ban installation and setup


Contents

Installation

Install EPEL Repos

     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm

Instal fail2ban:

     # yum install fail2ban

Setup

To work with Qmail/vpopmail, a filter and jail should be defined.

     # vi /etc/fail2ban/filter.d/password-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
     # vi /etc/fail2ban/filter.d/username-notfound.conf 
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     failregex = vchkpw-pop3: vpopmail user not found .*:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     ignoreregex = 
     # vi /etc/fail2ban/jail.conf  
     [password-fail]
     enabled  = true
     filter   = password-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     [username-notfound]
     enable = true
     filter = username-notfound
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
     Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)
     # fail2ban-client stop
     # fail2ban-client start
     # fail2ban-client status password-fail
     Status for the jail: password-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109

NOTE: Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

     # service iptables save
     # service iptables restart


Basic admin stuff

        # fail2ban-client status vpopmail-fail
        # iptables -L -nv
        # cat /etc/fail2ban/ip.deny
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org