Fail2ban for Qmail
Server
Installation:
#rpm –Uvh fail2ban-0.8.7.1-1.el6.rf.noarch.rpm
Setup:
To work
with Qmail/vpopmail, a filter and jail should be defined.
Configure Filter:
Create a
filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The
filename is the filter name
- password-fail
filter:
# vi
/etc/fail2ban/filter.d/password-fail.conf
[Definition]
#Looks for failed
password logins to SMTP
failregex =
vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
- username-notfound
filter:
# vi
/etc/fail2ban/filter.d/username-notfound.conf
[Definition]
# Option: failregex
# Notes.: regex to
match the password failures messages in the logfile.
# The host must be
matched by a group named "host". The tag "<HOST>" can
# be used for standard
IP/hostname matching and is only an alias for
#
(?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex =
vchkpw-smtp: vpopmail user not found .*:<HOST>
# Option: ignoreregex
# Notes.: regex to
ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
- dos-hosts
filter:
# vi
/etc/fail2ban/filter.d/dos-hosts.conf
[Definition]
failregex = rblsmtpd:
<HOST> .*: 451 Blocked
CHKUSER rejected
relaying: from <.*:> remote <.*:.*:<HOST>> rcpt
<.*> : client not allowed to relay
CHKUSER rejected
rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> :
not existing recipient
.* rblsmtpd:
<HOST>
- vpopmail
filter:
# vi
/etc/fail2ban/filter.d/vpopmail.conf:
# Fail2Ban
configuration file
# Author: Christoph
Haas
# Modified by: Ole
Johansen - CDS
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to
match the password failures messages in the logfile.
# The host must be
matched by a group named "host". The tag "<HOST>" can
# be used for standard
IP/hostname matching and is only an alias for
#
(?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex =
vchkpw-pop3: vpopmail user not found .*@.*:<HOST>
# Option: ignoreregex
# Notes.: regex to
ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
- squirrelmail
filter:
# vi
/etc/fail2ban/filter.d/squirrelmail.conf
# squirrelmail's
Fail2Ban configuration file
# you must install the
squirrel_logger plugin into Squirrelmail
# to use this
filter/jail
[Definition]
# the failregex value
must match the line written in squirrelmail.log
# the example below is
using Italian
failregex =
\[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
ignoreregex =
Configure Jail:
Create a
jail (add/edit these lines) on /etc/fail2ban/jail.conf file
# vi
/etc/fail2ban/jail.conf
# password-fail
[password-fail]
enabled = true
filter = password-fail
action = iptables[name=SMTP, port=smtp,
protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
# username-notfound
[username-notfound]
enabled = true
filter =
username-notfound
action =
iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
# dos-hosts - Hosts
insisting on delivering spam
[dos-hosts]
enabled = true
filter = dos-hosts
action =
iptables[name=SMTP, port=smtp, protocol=tcp]
logpath =
/var/log/qmail/smtp/current
maxretry = 5
bantime = 86400
findtime = 3600
# vpopmail
[vpopmail]
enabled = true
port = pop3
filter = vpopmail
action =
iptables[name=pop3, port=pop3, protocol=tcp]
sendmailwhois[name=pop3,dest=y...@email.domain,
sender=em...@adr]
logpath =
/var/log/maillog
maxretry = 3
bantime = -1
# squirrelmail
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http,
protocol=tcp]
sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
# adjust logpath with
Squirrelmail's squirrel_logger plugin log
logpath = /var/log/squirrelmail.log
maxretry = 5
Test Filter
Test the
filter file (Returns something like this, with n matches for the regex or 0 if
no matches):
# fail2ban-regex
/var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
Failregex
|- Regular expressions:
| [1] vchkpw-smtp: password fail ([^)]*)
[^@]*@[^:]*:<HOST>
|
`- Number of matches:
[1] 123 match(es)
Reload Config
# fail2ban-client stop
# fail2ban-client start
Check Jail Status
# fail2ban-client
status password-fail
Status for the jail: password-fail
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 7
| `- Total failed: 225
`- action
|- Currently banned:
109
| `- IP list:
200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134
187.52.195.234 187.4.200.17
`- Total
banned: 109
Note
Once its
starts running and the logs have matching strings, it will create iptables
rules dropping that IP. But when fail2ban reload and/or iptables restart and/or
rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what
to do?
- Before
changes, write existing iptables rules to file
# service iptables save
- And
after any change load the saved set of rules
# service iptables
restart
- Tune
fail2ban to write IPs to /etc/fail2ban/ip.deny
Basic admin stuff
- Check
banned IPs:
- from
fail2ban:
# fail2ban-client
status vpopmail-fail
- from
current iptables rules:
# iptables -L -nv
- To
see IPs that fail2ban is saving for the next reload:
# cat
/etc/fail2ban/ip.deny
- How
to unblock an IP:
- Delete
it from the current iptables rules:
# iptables -D
fail2ban-SMTP -s 11.22.33.44 -j DROP
- Remove
it from /etc/fail2ban/ip.deny (maybe listed several times).
- Remove
it from /etc/sysconfig/iptables (maybe listed several times).
No comments:
Post a Comment