QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy | Latest revision

Fail2Ban

Revision as of 09:16, 7 March 2011 by Pakogah (Talk | contribs)

Basic fail2ban installation and setup


Contents

Installation

Install EPEL Repos

     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm

Instal fail2ban:

     # yum install fail2ban

Setup

To work with Qmail/vpopmail, a filter and jail should be defined.

     # vi /etc/fail2ban/filter.d/vpopmail-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
     # vi /etc/fail2ban/jail.conf  
     [vpopmail-fail]
     enabled  = true
     filter   = vpopmail-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 1
     bantime  = 604800
     findtime = 3600
     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf
     Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)
     # fail2ban-client stop
     # fail2ban-client start
     # fail2ban-client status vpopmail-fail
     Status for the jail: vpopmail-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109

NOTE: Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

     # service iptables save
     # service iptables restart


Basic admin stuff

        # fail2ban-client status vpopmail-fail
        # iptables -L -nv
        # cat /etc/fail2ban/ip.deny
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org


Find

Browse
Main page
Community portal
Current events
Recent changes
Random page
Help
Edit
View source
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
More...