Contents
$ sudo cat /etc/redhat-release CentOS release 6.7 (Final) $ sudo yum -y install fail2ban
$ sudo cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) $ sudo yum -y install fail2ban
$ fail2ban-client --version
Fail2Ban v0.11.1
$ fail2ban-client -d ['set', 'syslogsocket', 'auto'] ['set', 'loglevel', 'INFO'] ['set', 'logtarget', 'SYSLOG'] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['set', 'dbpurgeage', 86400]
$ fail2ban-client -d ['set', 'syslogsocket', 'auto'] ['set', 'loglevel', 'INFO'] ['set', 'logtarget', '/var/log/fail2ban.log'] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['set', 'dbmaxmatches', 10] ['set', 'dbpurgeage', '1d']
dbpurgeage parameter in fail2ban.conf, which tells how many days of data to keep in the database.
$ ls -l /etc/fail2ban/jail.conf -rw-r--r--. 1 root root 25740 Aug 28 14:55 /etc/fail2ban/jail.conf $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.orig
577 [postfix-sasl] 578 579 port = smtp,465,submission,imap3,imaps,pop3,pop3s 580 # You might consider monitoring /var/log/mail.warn instead if you are 581 # running postfix since it would provide the same log lines at the 582 # "warn" level but overall at the smaller filesize. 583 logpath = %(postfix_log)s 584 585 # ebal, Sat, 14 May 2016 12:34:30 +0300 586 enabled = true 587 bantime = 43200 588 maxretry = 3
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
# fail2ban-client -d ['set', 'syslogsocket', 'auto'] ['set', 'loglevel', 'INFO'] ['set', 'logtarget', 'SYSLOG'] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['set', 'dbpurgeage', 86400] ['add', 'postfix-sasl', 'auto'] ['set', 'postfix-sasl', 'usedns', 'warn'] ['set', 'postfix-sasl', 'addlogpath', '/var/log/maillog', 'head'] ['set', 'postfix-sasl', 'maxretry', 3] ['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-sasl', 'logencoding', 'auto'] ['set', 'postfix-sasl', 'bantime', 43200] ['set', 'postfix-sasl', 'ignorecommand', ''] ['set', 'postfix-sasl', 'findtime', 600] ['set', 'postfix-sasl', 'addignoreregex', 'authentication failed: Connection lost to authentication server$'] ['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/(submission/)?smtp(d|s)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/(submission/)?smtp(d|s)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\\s*$'] ['set', 'postfix-sasl', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service'] ['set', 'postfix-sasl', 'addaction', 'iptables-multiport'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/chain', 'INPUT'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/lockingopt', ''] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'name', 'postfix-sasl'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/__name__', 'Init'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/protocol', 'tcp'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/port', 'ssh'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/returntype', 'RETURN'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'lockingopt', ''] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/name', 'default'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'returntype', 'RETURN'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'port', 'smtp,465,submission,imap3,imaps,pop3,pop3s'] ['set', 'postfix-sasl', 'action', 'iptables-multiport', 'bantime', '43200'] ['start', 'postfix-sasl']
# fail2ban-client status postfix-sasl ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running? # /etc/init.d/fail2ban restart Stopping fail2ban: ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running? [FAILED] Starting fail2ban: [ OK ]
# chkconfig fail2ban on
# fail2ban-client status postfix-sasl Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: # /etc/init.d/fail2ban status fail2ban-server (pid 20355) is running... Status |- Number of jail: 1 `- Jail list: postfix-sasl
dovecot: auth: ldap(admin@example.org,89.248.162.175): unknown user
[dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s # ebal, Sat, 14 May 2016 12:34:30 +0300 enabled = true findtime = 86400 bantime = 86400 maxretry = 1
^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|ldap|passwd-file)\(\S+,<HOST>\): unknown user\s*$