Basic fail2ban installation and setup
fail2ban homepage: http://www.fail2ban.org. Please check  and  for more details.
Enable the EPEL repos  and then 'yum install fail2ban'
To work with Qmail/vpopmail, a filter and jail should be defined. a. # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf
- Looks for failed password logins to SMTP
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
b. # mcedit /etc/fail2ban/jail.conf (add this)
[vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600
c. Test the filter file:
- fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf
Returns something like this, with n matches for the regex or 0 if no matches:
Failregex |- Regular expressions: |  vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> | `- Number of matches:
 123 match(es)
d. Reload config:
- fail2ban-client stop/start
e. Check the status of a jail:
- fail2ban-client status vpopmail-fail
Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action
|- Currently banned: 109
| `- IP list: 22.214.171.124 126.96.36.199 188.8.131.52 (...) 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
`- Total banned: 109
NOTE: Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do?
- Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny .
3.A little basic admin stuff
a. Check banned IPs: - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload:
- cat /etc/fail2ban/ip.deny
b. How to unblock an IP: 1) Delete it from the current iptables rules:
- iptables -D fail2ban-SMTP -s 126.96.36.199 -j DROP
2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times).
 http://email@example.com/msg30514.html  http://firstname.lastname@example.org/msg30551.html  http://fedoraproject.org/wiki/EPEL/FAQ#howtouse  http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/