QmailtoasterMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy

Fail2Ban

From Qmailtoaster

Basic fail2ban installation and setup


Contents

Installation

Install EPEL Repos

     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm

Instal fail2ban:

     # yum install fail2ban

Setup

To work with Qmail/vpopmail, a filter and jail should be defined.

Configure Filter

Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name

     # vi /etc/fail2ban/filter.d/password-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
     # vi /etc/fail2ban/filter.d/username-notfound.conf 
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     ignoreregex = 
     # vi /etc/fail2ban/filter.d/dos-hosts.conf 
     [Definition]
     failregex = rblsmtpd: <HOST> .*: 451 Blocked
          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
      .* rblsmtpd: <HOST>
     # vi /etc/fail2ban/filter.d/vpopmail.conf:
     # Fail2Ban configuration file
     # Author: Christoph Haas
     # Modified by: Ole Johansen - CDS
     # $Revision: 510 $
     
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     
     failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     
     ignoreregex =
     # vi /etc/fail2ban/filter.d/squirrelmail.conf
     # squirrelmail's Fail2Ban configuration file
     # you must install the squirrel_logger plugin into Squirrelmail
     # to use this filter/jail
     
     [Definition]
     # the failregex value must match the line written in squirrelmail.log
     # the example below is using Italian
     failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
     ignoreregex =

Configure Jail

Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file

     # vi /etc/fail2ban/jail.conf  
     # password-fail
     [password-fail]
     enabled  = true
     filter   = password-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # username-notfound
     [username-notfound]
     enabled = true
     filter = username-notfound
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # dos-hosts - Hosts insisting on delivering spam
     [dos-hosts]
     enabled = true
     filter = dos-hosts
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/qmail/smtp/current
     maxretry = 5
     bantime  = 86400
     findtime = 3600
     # vpopmail
     [vpopmail]
     enabled = true
     port = pop3
     filter = vpopmail
     action = iptables[name=pop3, port=pop3, protocol=tcp]
            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
     logpath = /var/log/maillog
     maxretry = 3
     bantime = -1
     # squirrelmail
     [squirrelmail-iptables]
     enabled  = true
     filter   = squirrelmail
     action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
     # adjust logpath with Squirrelmail's squirrel_logger plugin log
     logpath  = /var/log/squirrelmail.log
     maxretry = 5

Test Filter

Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):

     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
     Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)

Reload Config

     # fail2ban-client stop
     # fail2ban-client start

Check Jail Status

     # fail2ban-client status password-fail
     Status for the jail: password-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109


Note

Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

     # service iptables save
     # service iptables restart

Basic admin stuff

        # fail2ban-client status vpopmail-fail
        # iptables -L -nv
        # cat /etc/fail2ban/ip.deny
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org

Retrieved from "http://wiki.qmailtoaster.com/index.php/Fail2Ban"

This page has been accessed 15,296 times. This page was last modified on 9 December 2011, at 08:57. Content is available under GNU Free Documentation License 1.2.


Find

Browse
Main page
Community portal
Current events
Recent changes
Random page
Help
Edit
View source
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
More...