Fail2Ban
(Difference between revisions)
(This is an edit to include fail2ban for blocking spamming hosts) |
|||
Line 35: | Line 35: | ||
# Values: TEXT | # Values: TEXT | ||
ignoreregex = | ignoreregex = | ||
+ | |||
+ | |||
+ | # vi /etc/fail2ban/filter.d/dos-hosts.conf | ||
+ | [Definition] | ||
+ | failregex = rblsmtpd: <HOST> .*: 451 Blocked | ||
+ | CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay | ||
+ | CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient | ||
+ | .* rblsmtpd: <HOST> | ||
+ | |||
+ | |||
+ | |||
* Create a jail (add these lines) | * Create a jail (add these lines) | ||
Line 53: | Line 64: | ||
logpath = /var/log/maillog | logpath = /var/log/maillog | ||
maxretry = 3 | maxretry = 3 | ||
+ | bantime = 86400 | ||
+ | findtime = 3600 | ||
+ | |||
+ | |||
+ | # Hosts insisting on delivering spam | ||
+ | [dos-hosts] | ||
+ | enable = true | ||
+ | filter = dos-hosts | ||
+ | action = iptables[name=SMTP, port=smtp, protocol=tcp] | ||
+ | logpath = /var/log/qmail/smtp/current | ||
+ | maxretry = 5 | ||
bantime = 86400 | bantime = 86400 | ||
findtime = 3600 | findtime = 3600 |
Revision as of 04:44, 14 May 2011
Basic fail2ban installation and setup
Contents |
Installation
Install EPEL Repos
- For CentOS 5 i386:
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
- For CentOS 4:
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm
Instal fail2ban:
# yum install fail2ban
Setup
To work with Qmail/vpopmail, a filter and jail should be defined.
- Create a filter
# vi /etc/fail2ban/filter.d/password-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex =
# vi /etc/fail2ban/filter.d/username-notfound.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # The host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT failregex = vchkpw-smtp: vpopmail user not found .*:<HOST> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
# vi /etc/fail2ban/filter.d/dos-hosts.conf [Definition] failregex = rblsmtpd: <HOST> .*: 451 Blocked CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient .* rblsmtpd: <HOST>
- Create a jail (add these lines)
# vi /etc/fail2ban/jail.conf [password-fail] enabled = true filter = password-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600
[username-notfound] enable = true filter = username-notfound action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600
- Hosts insisting on delivering spam
[dos-hosts] enable = true filter = dos-hosts action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/qmail/smtp/current maxretry = 5 bantime = 86400 findtime = 3600
- Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> | `- Number of matches: [1] 123 match(es)
- Reload config:
# fail2ban-client stop # fail2ban-client start
- Check the status of a jail:
# fail2ban-client status password-fail
Status for the jail: password-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109
NOTE: Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?
- Before changes, write existing iptables rules to file
# service iptables save
- And after any change load the saved set of rules
# service iptables restart
- Tune fail2ban to write IPs to /etc/fail2ban/ip.deny
Basic admin stuff
- Check banned IPs:
- from fail2ban:
# fail2ban-client status vpopmail-fail
- from current iptables rules:
# iptables -L -nv
- To see IPs that fail2ban is saving for the next reload:
# cat /etc/fail2ban/ip.deny
- How to unblock an IP:
- Delete it from the current iptables rules:
# iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
- Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
- Remove it from /etc/sysconfig/iptables (maybe listed several times).
References
[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
[4] fail2ban homepage: http://www.fail2ban.org