Fail2ban

From QmailToaster
Revision as of 15:55, 26 March 2024 by Ebroch (talk | contribs) (Created page with "# Install fail2ban # yum install fail2ban -y # Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL # cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  1. Install fail2ban
  1. yum install fail2ban -y
  1. Create the filter definition files in filter.d
  1. cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL

[Definition]

  1. Looks for failed auth outside TLS to SMTP

failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL

  1. cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL

[Definition]

  1. Looks for failed password logins to SMTP

failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL

  1. cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL

[Definition]

  1. Looks for failed password logins to SMTP

failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL

  1. cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL

[Definition] failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> ignoreregex = EOL

  1. cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL

[Definition] failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL

  1. cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL

[Definition] failregex = vchkpw-submission: vpopmail user not found .*:<HOST> ignoreregex = EOL

  1. Add filter definitions to jail.conf
  1. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
  1. cat >>/etc/fail2ban/jail.conf << EOL

[qmail-submission-passfail] enabled = true filter = qmail-submission-passfail action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto

[qmail-submission-usernotfound] enabled = true filter = qmail-submission-usernotfound action = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto

[qmail-smtps-passfail] enabled = true filter = qmail-smtps-passfail action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto

[qmail-smtps-usernotfound] enabled = true filter = qmail-smtps-usernotfound action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto

[qmail-smtp-authnotavail] enabled = true filter = qmail-smtp-authnotavail action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp] logpath = /var/log/qmail/smtptx/current maxretry = 3 bantime = 86400 findtime = 300 backend = auto

EOL

  1. Set up Authorization not available
  In order to log SMTP transactions do the following:
  1) # qmailctl stop
  2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
  3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file: 
     
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
  4) # qmailctl start && qmailctl cdb
  5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
  1. Start fail2ban
  1. systemctl start fail2ban


  1. Script to check blocking
  1. cat >./f2bstat << EOL
  2. !/bin/bash

for FILTER in qmail-submission-passfail \ 

             qmail-submission-usernotfound \
             qmail-smtps-passfail \
             qmail-smtps-usernotfound \
             qmail-smtp-authnotavail

do 

  fail2ban-client status $FILTER
  echo ""

done

EOL

  1. Set permissions & run script (w/output sample)
  1. chmod 755 ./f2bstat && ./f2bstat

qmail-submission-passfail:

Status for the jail: qmail-submission-passfail |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/maillog `- Actions 

  |- Currently banned: 0
  |- Total banned:     0
  `- Banned IP list:

qmail-submission-usernotfound:

Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 7 | |- Total failed: 7 | `- File list: /var/log/maillog `- Actions 

  |- Currently banned: 0
  |- Total banned:     0
  `- Banned IP list:

qmail-smtps-passfail:

Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions 

  |- Currently banned: 0
  |- Total banned:     0
  `- Banned IP list:

qmail-smtps-usernotfound:

Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions 

  |- Currently banned: 2
  |- Total banned:     2
  `- Banned IP list:   5.34.207.174 212.70.149.72

qmail-smtp-authnotavail:

Status for the jail: qmail-smtp-authnotavail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/qmail/smtptx/current `- Actions 

  |- Currently banned: 0
  |- Total banned:     0
  `- Banned IP list:
Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=Fail2ban&oldid=479"