Easy Hosting Control Panel (EHCP) :: Force Edition

EHCP Force Support => Feature Requests => Topic started by: colifato on November 04, 2014, 02:09:38 pm

Title: Ability to add fail2ban and DKIM
Post by: colifato on November 04, 2014, 02:09:38 pm

It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs

Title: Re: Ability to add fail2ban and DKIM
Post by: earnolmartin on November 06, 2014, 07:06:06 pm

Quote from: colifato on November 04, 2014, 02:09:38 pm

It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs

Hi, yes it should be possible, but could you please provide a sample log illustrating what a normal entry looks like for whatever you're trying to log and ban? 

Title: Re: Ability to add fail2ban and DKIM
Post by: colifato on November 10, 2014, 03:03:24 pm

Give me 2 or 3 days to have the next dictionary-based attack and you copy the log.
regards

Title: Re: Ability to add fail2ban and DKIM
Post by: colifato on November 11, 2014, 11:50:16 am

Nov 11 15:46:42 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:43 server1 pop3d: LOGIN FAILED, user=plan, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: LOGIN FAILED, user=redes, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:54 server1 pop3d: LOGIN FAILED, user=afranco, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: LOGIN FAILED, user=pgarcia, ip=[::ffff:200.32.69.26]

or

Jul 23 19:01:10 server1 postfix/smtpd[3583]: disconnect from 70-91-145-229-jax-fl.hfc.comcastbusiness.net[70.91.145.229]
Jul 23 19:01:20 server1 postfix/smtpd[3580]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:20 server1 postfix/smtpd[3580]: connect from unknown[93.152.59.168]
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:22 server1 postfix/smtpd[3580]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:24 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure

Title: Re: Ability to add fail2ban and DKIM
Post by: earnolmartin on November 25, 2014, 04:06:45 pm

In /etc/fail2ban/jail.local find the sasl section and enable it.  It should look similar to this:

Code: [Select]

[sasl]

enabled  = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
maxretry = 4

I think that will do it?  I tested the regex based on your log.  It should ban after 4 failed attempts against sasl.