Fail2Ban
(Difference between revisions)
m (→Configure Filter: squirrelmail filter filename) |
|||
| (6 intermediate revisions not shown) | |||
| Line 12: | Line 12: | ||
== Setup == | == Setup == | ||
| - | |||
To work with Qmail/vpopmail, a filter and jail should be defined. | To work with Qmail/vpopmail, a filter and jail should be defined. | ||
| - | + | ||
| + | === Configure Filter === | ||
| + | |||
| + | Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. | ||
| + | The filename is the filter name | ||
| + | |||
| + | * password-fail filter: | ||
# vi /etc/fail2ban/filter.d/password-fail.conf | # vi /etc/fail2ban/filter.d/password-fail.conf | ||
[Definition] | [Definition] | ||
| Line 21: | Line 26: | ||
ignoreregex = | ignoreregex = | ||
| + | * username-notfound filter: | ||
# vi /etc/fail2ban/filter.d/username-notfound.conf | # vi /etc/fail2ban/filter.d/username-notfound.conf | ||
[Definition] | [Definition] | ||
| Line 36: | Line 42: | ||
ignoreregex = | ignoreregex = | ||
| - | * Create a jail (add these lines) | + | * dos-hosts filter: |
| + | # vi /etc/fail2ban/filter.d/dos-hosts.conf | ||
| + | [Definition] | ||
| + | failregex = rblsmtpd: <HOST> .*: 451 Blocked | ||
| + | CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay | ||
| + | CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient | ||
| + | .* rblsmtpd: <HOST> | ||
| + | |||
| + | * vpopmail filter: | ||
| + | # vi /etc/fail2ban/filter.d/vpopmail.conf: | ||
| + | # Fail2Ban configuration file | ||
| + | # Author: Christoph Haas | ||
| + | # Modified by: Ole Johansen - CDS | ||
| + | # $Revision: 510 $ | ||
| + | |||
| + | [Definition] | ||
| + | # Option: failregex | ||
| + | # Notes.: regex to match the password failures messages in the logfile. | ||
| + | # The host must be matched by a group named "host". The tag "<HOST>" can | ||
| + | # be used for standard IP/hostname matching and is only an alias for | ||
| + | # (?:::f{4,6}:)?(?P<host>\S+) | ||
| + | # Values: TEXT | ||
| + | |||
| + | failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST> | ||
| + | |||
| + | # Option: ignoreregex | ||
| + | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| + | # Values: TEXT | ||
| + | |||
| + | ignoreregex = | ||
| + | |||
| + | * squirrelmail filter: | ||
| + | # vi /etc/fail2ban/filter.d/squirrelmail.conf | ||
| + | # squirrelmail's Fail2Ban configuration file | ||
| + | # you must install the squirrel_logger plugin into Squirrelmail | ||
| + | # to use this filter/jail | ||
| + | |||
| + | [Definition] | ||
| + | # the failregex value must match the line written in squirrelmail.log | ||
| + | # the example below is using Italian | ||
| + | failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata | ||
| + | ignoreregex = | ||
| + | |||
| + | === Configure Jail === | ||
| + | |||
| + | Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file | ||
# vi /etc/fail2ban/jail.conf | # vi /etc/fail2ban/jail.conf | ||
| + | |||
| + | # password-fail | ||
[password-fail] | [password-fail] | ||
enabled = true | enabled = true | ||
| Line 47: | Line 100: | ||
findtime = 3600 | findtime = 3600 | ||
| + | # username-notfound | ||
[username-notfound] | [username-notfound] | ||
| - | + | enabled = true | |
filter = username-notfound | filter = username-notfound | ||
action = iptables[name=SMTP, port=smtp, protocol=tcp] | action = iptables[name=SMTP, port=smtp, protocol=tcp] | ||
| Line 56: | Line 110: | ||
findtime = 3600 | findtime = 3600 | ||
| - | + | # dos-hosts - Hosts insisting on delivering spam | |
| + | [dos-hosts] | ||
| + | enabled = true | ||
| + | filter = dos-hosts | ||
| + | action = iptables[name=SMTP, port=smtp, protocol=tcp] | ||
| + | logpath = /var/log/qmail/smtp/current | ||
| + | maxretry = 5 | ||
| + | bantime = 86400 | ||
| + | findtime = 3600 | ||
| + | |||
| + | # vpopmail | ||
| + | [vpopmail] | ||
| + | enabled = true | ||
| + | port = pop3 | ||
| + | filter = vpopmail | ||
| + | action = iptables[name=pop3, port=pop3, protocol=tcp] | ||
| + | sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr] | ||
| + | logpath = /var/log/maillog | ||
| + | maxretry = 3 | ||
| + | bantime = -1 | ||
| + | |||
| + | # squirrelmail | ||
| + | [squirrelmail-iptables] | ||
| + | enabled = true | ||
| + | filter = squirrelmail | ||
| + | action = iptables[name=SquirrelMail, port=http, protocol=tcp] | ||
| + | sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it] | ||
| + | # adjust logpath with Squirrelmail's squirrel_logger plugin log | ||
| + | logpath = /var/log/squirrelmail.log | ||
| + | maxretry = 5 | ||
| + | |||
| + | === Test Filter === | ||
| + | Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches): | ||
| + | |||
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf | # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf | ||
| Line 66: | Line 153: | ||
[1] 123 match(es) | [1] 123 match(es) | ||
| - | + | === Reload Config === | |
| + | |||
# fail2ban-client stop | # fail2ban-client stop | ||
# fail2ban-client start | # fail2ban-client start | ||
| - | + | === Check Jail Status === | |
| + | |||
# fail2ban-client status password-fail | # fail2ban-client status password-fail | ||
| Line 83: | Line 172: | ||
`- Total banned: 109 | `- Total banned: 109 | ||
| - | + | ||
| + | === Note === | ||
Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. | Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. | ||
But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! | But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! | ||
| Line 91: | Line 181: | ||
* And after any change load the saved set of rules | * And after any change load the saved set of rules | ||
# service iptables restart | # service iptables restart | ||
| - | * Tune fail2ban to write IPs to /etc/fail2ban/ip.deny | + | * Tune fail2ban to write IPs to /etc/fail2ban/ip.deny |
| - | + | ||
== Basic admin stuff == | == Basic admin stuff == | ||
Latest revision as of 08:57, 9 December 2011
Basic fail2ban installation and setup
Contents |
Installation
Install EPEL Repos
- For CentOS 5 i386:
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
- For CentOS 4:
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm
Instal fail2ban:
# yum install fail2ban
Setup
To work with Qmail/vpopmail, a filter and jail should be defined.
Configure Filter
Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name
- password-fail filter:
# vi /etc/fail2ban/filter.d/password-fail.conf
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
- username-notfound filter:
# vi /etc/fail2ban/filter.d/username-notfound.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# The host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
- dos-hosts filter:
# vi /etc/fail2ban/filter.d/dos-hosts.conf
[Definition]
failregex = rblsmtpd: <HOST> .*: 451 Blocked
CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
.* rblsmtpd: <HOST>
- vpopmail filter:
# vi /etc/fail2ban/filter.d/vpopmail.conf:
# Fail2Ban configuration file
# Author: Christoph Haas
# Modified by: Ole Johansen - CDS
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# The host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
- squirrelmail filter:
# vi /etc/fail2ban/filter.d/squirrelmail.conf
# squirrelmail's Fail2Ban configuration file
# you must install the squirrel_logger plugin into Squirrelmail
# to use this filter/jail
[Definition]
# the failregex value must match the line written in squirrelmail.log
# the example below is using Italian
failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
ignoreregex =
Configure Jail
Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file
# vi /etc/fail2ban/jail.conf
# password-fail
[password-fail]
enabled = true
filter = password-fail
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
# username-notfound
[username-notfound]
enabled = true
filter = username-notfound
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
# dos-hosts - Hosts insisting on delivering spam
[dos-hosts]
enabled = true
filter = dos-hosts
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/qmail/smtp/current
maxretry = 5
bantime = 86400
findtime = 3600
# vpopmail
[vpopmail]
enabled = true
port = pop3
filter = vpopmail
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
logpath = /var/log/maillog
maxretry = 3
bantime = -1
# squirrelmail
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
# adjust logpath with Squirrelmail's squirrel_logger plugin log
logpath = /var/log/squirrelmail.log
maxretry = 5
Test Filter
Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
Failregex
|- Regular expressions:
| [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
|
`- Number of matches:
[1] 123 match(es)
Reload Config
# fail2ban-client stop
# fail2ban-client start
Check Jail Status
# fail2ban-client status password-fail
Status for the jail: password-fail
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 7
| `- Total failed: 225
`- action
|- Currently banned: 109
| `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
`- Total banned: 109
Note
Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?
- Before changes, write existing iptables rules to file
# service iptables save
- And after any change load the saved set of rules
# service iptables restart
- Tune fail2ban to write IPs to /etc/fail2ban/ip.deny
Basic admin stuff
- Check banned IPs:
- from fail2ban:
# fail2ban-client status vpopmail-fail
- from current iptables rules:
# iptables -L -nv
- To see IPs that fail2ban is saving for the next reload:
# cat /etc/fail2ban/ip.deny
- How to unblock an IP:
- Delete it from the current iptables rules:
# iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
- Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
- Remove it from /etc/sysconfig/iptables (maybe listed several times).
References
[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
[4] fail2ban homepage: http://www.fail2ban.org