Easy Hosting Control Panel (EHCP) :: Force Edition
EHCP Force Support => Feature Requests => Topic started by: colifato on November 04, 2014, 02:09:38 pm
-
It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs
-
It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs
Hi, yes it should be possible, but could you please provide a sample log illustrating what a normal entry looks like for whatever you're trying to log and ban?
-
Give me 2 or 3 days to have the next dictionary-based attack and you copy the log.
regards
-
Nov 11 15:46:42 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:43 server1 pop3d: LOGIN FAILED, user=plan, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: LOGIN FAILED, user=redes, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:54 server1 pop3d: LOGIN FAILED, user=afranco, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: LOGIN FAILED, user=pgarcia, ip=[::ffff:200.32.69.26]
or
Jul 23 19:01:10 server1 postfix/smtpd[3583]: disconnect from 70-91-145-229-jax-fl.hfc.comcastbusiness.net[70.91.145.229]
Jul 23 19:01:20 server1 postfix/smtpd[3580]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:20 server1 postfix/smtpd[3580]: connect from unknown[93.152.59.168]
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:22 server1 postfix/smtpd[3580]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:24 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure
-
In /etc/fail2ban/jail.local find the sasl section and enable it. It should look similar to this:
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath = /var/log/mail.log
maxretry = 4
I think that will do it? I tested the regex based on your log. It should ban after 4 failed attempts against sasl.