Hits : 1982
Last Edit: 15.05.2016 09:02

fail2ban


Installation

# cat /etc/redhat-release 
CentOS release 6.7 (Final)

# yum -y install fail2ban

default filters


# fail2ban-client -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', 'SYSLOG']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]

configuration backup


# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.orig

postfix-sasl


Enable filter


577 [postfix-sasl]
578 
579 port     = smtp,465,submission,imap3,imaps,pop3,pop3s
580 # You might consider monitoring /var/log/mail.warn instead if you are
581 # running postfix since it would provide the same log lines at the
582 # "warn" level but overall at the smaller filesize.
583 logpath  = %(postfix_log)s
584 
585 # ebal, Sat, 14 May 2016 12:34:30 +0300
586 enabled = true
587 bantime = 43200
588 maxretry = 3

Test your settings


fail2ban-regex


# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf


fail2ban-client


fail2ban-client


# fail2ban-client -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', 'SYSLOG']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/maillog', 'head']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'logencoding', 'auto']
['set', 'postfix-sasl', 'bantime', 43200]
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'addignoreregex', 'authentication failed: Connection lost to authentication server$']
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/(submission/)?smtp(d|s)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/(submission/)?smtp(d|s)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service']
['set', 'postfix-sasl', 'addaction', 'iptables-multiport']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/lockingopt', '']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'name', 'postfix-sasl']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/__name__', 'Init']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'lockingopt', '']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'port', 'smtp,465,submission,imap3,imaps,pop3,pop3s']
['set', 'postfix-sasl', 'action', 'iptables-multiport', 'bantime', '43200']
['start', 'postfix-sasl']

enable service


# fail2ban-client status postfix-sasl
ERROR  Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?

# /etc/init.d/fail2ban restart
Stopping fail2ban: ERROR  Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
                                                           [FAILED]
Starting fail2ban:                                         [  OK  ]


# chkconfig fail2ban on

show status


# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/maillog
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

# /etc/init.d/fail2ban status
fail2ban-server (pid  20355) is running...
Status
|- Number of jail:	1
`- Jail list:	postfix-sasl


dovecot


dovecot: auth: ldap(admin@example.org,89.248.162.175): unknown user


jail.conf


[dovecot]

port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s

# ebal, Sat, 14 May 2016 12:34:30 +0300
enabled = true
findtime = 86400
bantime = 86400
maxretry = 1


/etc/fail2ban/filter.d/dovecot.conf


from:


^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$


to:


add ldap:


^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|ldap|passwd-file)\(\S+,<HOST>\): unknown user\s*$