QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy | Latest revision

Fail2Ban

(Difference between revisions)

(New page: == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. ---- == 1. Installation. == Enable the EPEL re...)
m (Configure Filter: squirrelmail filter filename)
 
(10 intermediate revisions not shown)
Line 1: Line 1:
-
== '''Basic fail2ban installation and setup''' ==
+
'''Basic fail2ban installation and setup'''
-
 
+
-
 
+
-
fail2ban homepage: http://www.fail2ban.org.
+
-
Please check [0] and [1] for more details.
+
-
 
+
----
----
 +
== Installation ==
 +
Install EPEL Repos
 +
* For CentOS 5 i386:
 +
      # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
 +
* For CentOS 4:
 +
      # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm
-
== 1. Installation. ==
+
Instal fail2ban:
 +
      # yum install fail2ban
-
Enable the EPEL repos [1] and then 'yum install fail2ban'
+
== Setup ==
 +
To work with Qmail/vpopmail, a filter and jail should be defined.
 +
=== Configure Filter ===
 +
Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename.
 +
The filename is the filter name
-
== 2. Setup: ==
+
* password-fail filter:
 +
      # vi /etc/fail2ban/filter.d/password-fail.conf
 +
      [Definition]
 +
      #Looks for failed password logins to SMTP
 +
      failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
 +
      ignoreregex =
-
To work with Qmail/vpopmail, a filter and jail should be defined.
+
* username-notfound filter:
-
'''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf
+
      # vi /etc/fail2ban/filter.d/username-notfound.conf  
 +
      [Definition]
 +
      # Option: failregex
 +
      # Notes.: regex to match the password failures messages in the logfile.
 +
      # The host must be matched by a group named "host". The tag "<HOST>" can
 +
      # be used for standard IP/hostname matching and is only an alias for
 +
      # (?:::f{4,6}:)?(?P<host>\S+)
 +
      # Values: TEXT
 +
      failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
 +
     
 +
      # Option: ignoreregex
 +
      # Notes.: regex to ignore. If this regex matches, the line is ignored.
 +
      # Values: TEXT
 +
      ignoreregex =
-
[Definition]
+
* dos-hosts filter:
-
#Looks for failed password logins to SMTP
+
      # vi /etc/fail2ban/filter.d/dos-hosts.conf
-
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
+
      [Definition]
 +
      failregex = rblsmtpd: <HOST> .*: 451 Blocked
 +
          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
 +
          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
 +
      .* rblsmtpd: <HOST>
-
ignoreregex =
+
* vpopmail filter:
 +
      # vi /etc/fail2ban/filter.d/vpopmail.conf:
 +
      # Fail2Ban configuration file
 +
      # Author: Christoph Haas
 +
      # Modified by: Ole Johansen - CDS
 +
      # $Revision: 510 $
 +
     
 +
      [Definition]
 +
      # Option: failregex
 +
      # Notes.: regex to match the password failures messages in the logfile.
 +
      # The host must be matched by a group named "host". The tag "<HOST>" can
 +
      # be used for standard IP/hostname matching and is only an alias for
 +
      # (?:::f{4,6}:)?(?P<host>\S+)
 +
      # Values: TEXT
 +
     
 +
      failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
 +
     
 +
      # Option: ignoreregex
 +
      # Notes.: regex to ignore. If this regex matches, the line is ignored.
 +
      # Values: TEXT
 +
     
 +
      ignoreregex =
-
'''b.''' # mcedit /etc/fail2ban/jail.conf   (add this)
+
* squirrelmail filter:
 +
      # vi /etc/fail2ban/filter.d/squirrelmail.conf
 +
      # squirrelmail's Fail2Ban configuration file
 +
      # you must install the squirrel_logger plugin into Squirrelmail
 +
      # to use this filter/jail
 +
     
 +
      [Definition]
 +
      # the failregex value must match the line written in squirrelmail.log
 +
      # the example below is using Italian
 +
      failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
 +
      ignoreregex =
-
[vpopmail-fail]
+
=== Configure Jail ===
-
enabled  = true
+
-
filter  = vpopmail-fail
+
-
action  = iptables[name=SMTP, port=smtp, protocol=tcp]
+
-
logpath  = /var/log/maillog
+
-
maxretry = 1
+
-
bantime  = 604800
+
-
findtime = 3600
+
-
'''c. Test the filter file:'''
+
Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file
-
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf
+
      # vi /etc/fail2ban/jail.conf
-
Returns something like this, with n matches for the regex or 0 if no matches:
+
      # password-fail
 +
      [password-fail]
 +
      enabled  = true
 +
      filter  = password-fail
 +
      action  = iptables[name=SMTP, port=smtp, protocol=tcp]
 +
      logpath  = /var/log/maillog
 +
      maxretry = 3
 +
      bantime  = 86400
 +
      findtime = 3600
-
Failregex
+
      # username-notfound
-
|- Regular expressions:
+
      [username-notfound]
-
[1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
+
      enabled = true
-
|
+
      filter = username-notfound
-
`- Number of matches:
+
      action = iptables[name=SMTP, port=smtp, protocol=tcp]
-
  [1] 123 match(es)
+
      logpath = /var/log/maillog
 +
      maxretry = 3
 +
      bantime  = 86400
 +
      findtime = 3600
 +
      # dos-hosts - Hosts insisting on delivering spam
 +
      [dos-hosts]
 +
      enabled = true
 +
      filter = dos-hosts
 +
      action = iptables[name=SMTP, port=smtp, protocol=tcp]
 +
      logpath = /var/log/qmail/smtp/current
 +
      maxretry = 5
 +
      bantime  = 86400
 +
      findtime = 3600
-
'''d. Reload config:'''
+
      # vpopmail
-
# fail2ban-client stop/start
+
      [vpopmail]
 +
      enabled = true
 +
      port = pop3
 +
      filter = vpopmail
 +
      action = iptables[name=pop3, port=pop3, protocol=tcp]
 +
            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
 +
      logpath = /var/log/maillog
 +
      maxretry = 3
 +
      bantime = -1
-
'''e. Check the status of a jail:'''
+
      # squirrelmail
 +
      [squirrelmail-iptables]
 +
      enabled  = true
 +
      filter  = squirrelmail
 +
      action  = iptables[name=SquirrelMail, port=http, protocol=tcp]
 +
      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
 +
      # adjust logpath with Squirrelmail's squirrel_logger plugin log
 +
      logpath  = /var/log/squirrelmail.log
 +
      maxretry = 5
-
# fail2ban-client status vpopmail-fail
+
=== Test Filter ===
 +
Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):
-
Status for the jail: vpopmail-fail
+
      # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
-
|- filter
+
-
|  |- File list:        /var/log/maillog
+
-
|  |- Currently failed: 7
+
-
|  `- Total failed:    225
+
-
`- action
+
-
  |- Currently banned: 109
+
-
| `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
+
      Failregex
 +
      |- Regular expressions:
 +
      |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
 +
      |
 +
      `- Number of matches:
 +
        [1] 123 match(es)
-
  `- Total banned:    109
+
=== Reload Config ===
-
'''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye!
+
      # fail2ban-client stop
-
So... what to do?
+
      # fail2ban-client start
-
- Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules;
+
=== Check Jail Status ===
-
- Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3].
+
 +
      # fail2ban-client status password-fail
-
== 3.A little basic admin stuff ==
+
      Status for the jail: password-fail
 +
      |- filter
 +
      |  |- File list:        /var/log/maillog
 +
      |  |- Currently failed: 7
 +
      |  `- Total failed:    225
 +
      `- action
 +
        |- Currently banned: 109
 +
        | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
 +
        `- Total banned:    109
-
'''a. Check banned IPs:'''
 
-
- by fail2ban:# fail2ban-client status vpopmail-fail
 
-
- current iptables rules: # iptables -L -nv
 
-
- To see IPs that fail2ban is saving for the next reload:
 
-
# cat /etc/fail2ban/ip.deny
 
-
'''b. How to unblock an IP:'''
+
=== Note ===
-
1) Delete it from the current iptables rules:
+
Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP.
-
# iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
+
But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye!
-
2) remove it from /etc/fail2ban/ip.deny (maybe listed several times).
+
So what to do?
-
3) remove it from /etc/sysconfig/iptables (maybe listed several times).
+
* Before changes, write existing iptables rules to file
 +
      # service iptables save
 +
* And after any change load the saved set of rules
 +
      # service iptables restart
 +
* Tune fail2ban to write IPs to /etc/fail2ban/ip.deny
 +
== Basic admin stuff ==
-
----
+
* Check banned IPs:
 +
** from fail2ban:
 +
        # fail2ban-client status vpopmail-fail
 +
** from current iptables rules:
 +
        # iptables -L -nv
 +
** To see IPs that fail2ban is saving for the next reload:
 +
        # cat /etc/fail2ban/ip.deny
 +
* How to unblock an IP:
 +
** Delete it from the current iptables rules:
 +
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
 +
** Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
-
== 4. References: ==
+
** Remove it from /etc/sysconfig/iptables (maybe listed several times).
 +
== References ==
[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
 +
[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
 +
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
 +
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
 +
 +
[4] fail2ban homepage: http://www.fail2ban.org

Latest revision as of 08:57, 9 December 2011

Basic fail2ban installation and setup


Contents

Installation

Install EPEL Repos

     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm

Instal fail2ban:

     # yum install fail2ban

Setup

To work with Qmail/vpopmail, a filter and jail should be defined.

Configure Filter

Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name

     # vi /etc/fail2ban/filter.d/password-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
     # vi /etc/fail2ban/filter.d/username-notfound.conf 
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     ignoreregex = 
     # vi /etc/fail2ban/filter.d/dos-hosts.conf 
     [Definition]
     failregex = rblsmtpd: <HOST> .*: 451 Blocked
          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
      .* rblsmtpd: <HOST>
     # vi /etc/fail2ban/filter.d/vpopmail.conf:
     # Fail2Ban configuration file
     # Author: Christoph Haas
     # Modified by: Ole Johansen - CDS
     # $Revision: 510 $
     
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     
     failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     
     ignoreregex =
     # vi /etc/fail2ban/filter.d/squirrelmail.conf
     # squirrelmail's Fail2Ban configuration file
     # you must install the squirrel_logger plugin into Squirrelmail
     # to use this filter/jail
     
     [Definition]
     # the failregex value must match the line written in squirrelmail.log
     # the example below is using Italian
     failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
     ignoreregex =

Configure Jail

Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file

     # vi /etc/fail2ban/jail.conf  
     # password-fail
     [password-fail]
     enabled  = true
     filter   = password-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # username-notfound
     [username-notfound]
     enabled = true
     filter = username-notfound
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # dos-hosts - Hosts insisting on delivering spam
     [dos-hosts]
     enabled = true
     filter = dos-hosts
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/qmail/smtp/current
     maxretry = 5
     bantime  = 86400
     findtime = 3600
     # vpopmail
     [vpopmail]
     enabled = true
     port = pop3
     filter = vpopmail
     action = iptables[name=pop3, port=pop3, protocol=tcp]
            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
     logpath = /var/log/maillog
     maxretry = 3
     bantime = -1
     # squirrelmail
     [squirrelmail-iptables]
     enabled  = true
     filter   = squirrelmail
     action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
     # adjust logpath with Squirrelmail's squirrel_logger plugin log
     logpath  = /var/log/squirrelmail.log
     maxretry = 5

Test Filter

Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):

     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
     Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)

Reload Config

     # fail2ban-client stop
     # fail2ban-client start

Check Jail Status

     # fail2ban-client status password-fail
     Status for the jail: password-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109


Note

Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

     # service iptables save
     # service iptables restart

Basic admin stuff

        # fail2ban-client status vpopmail-fail
        # iptables -L -nv
        # cat /etc/fail2ban/ip.deny
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org