QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy | Latest revision

Fail2Ban

Revision as of 00:07, 5 March 2011 by Sminini (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Contents

Basic fail2ban installation and setup

fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details.


1. Installation.

Enable the EPEL repos [1] and then 'yum install fail2ban'


2. Setup:

To work with Qmail/vpopmail, a filter and jail should be defined. a. # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf

[Definition]

  1. Looks for failed password logins to SMTP

failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>

ignoreregex =

b. # mcedit /etc/fail2ban/jail.conf (add this)

[vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600

c. Test the filter file:

  1. fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf

Returns something like this, with n matches for the regex or 0 if no matches:

Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> | `- Number of matches:

 [1] 123 match(es)


d. Reload config:

  1. fail2ban-client stop/start

e. Check the status of a jail:

  1. fail2ban-client status vpopmail-fail

Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action

 |- Currently banned: 109

| `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17

 `- Total banned:     109

NOTE: Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do?

- Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3].


3.A little basic admin stuff

a. Check banned IPs: - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload:

  1. cat /etc/fail2ban/ip.deny

b. How to unblock an IP: 1) Delete it from the current iptables rules:

  1. iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times).




4. References:

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/


Find

Browse
Main page
Community portal
Current events
Recent changes
Random page
Help
Edit
View source
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
More...