Author Topic: Ability to add fail2ban and DKIM  (Read 2880 times)

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Ability to add fail2ban and DKIM
« on: November 04, 2014, 02:09:38 pm »
It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 264
    • View Profile
Re: Ability to add fail2ban and DKIM
« Reply #1 on: November 06, 2014, 07:06:06 pm »
It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs

Hi, yes it should be possible, but could you please provide a sample log illustrating what a normal entry looks like for whatever you're trying to log and ban? 

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Re: Ability to add fail2ban and DKIM
« Reply #2 on: November 10, 2014, 03:03:24 pm »
Give me 2 or 3 days to have the next dictionary-based attack and you copy the log.
regards

colifato

  • Newbie
  • *
  • Posts: 47
    • View Profile
Re: Ability to add fail2ban and DKIM
« Reply #3 on: November 11, 2014, 11:50:16 am »
Nov 11 15:46:42 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:43 server1 pop3d: LOGIN FAILED, user=plan, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: LOGIN FAILED, user=redes, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:54 server1 pop3d: LOGIN FAILED, user=afranco, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: LOGIN FAILED, user=pgarcia, ip=[::ffff:200.32.69.26]

or

Jul 23 19:01:10 server1 postfix/smtpd[3583]: disconnect from 70-91-145-229-jax-fl.hfc.comcastbusiness.net[70.91.145.229]
Jul 23 19:01:20 server1 postfix/smtpd[3580]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:20 server1 postfix/smtpd[3580]: connect from unknown[93.152.59.168]
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:22 server1 postfix/smtpd[3580]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:24 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 264
    • View Profile
Re: Ability to add fail2ban and DKIM
« Reply #4 on: November 25, 2014, 04:06:45 pm »
In /etc/fail2ban/jail.local find the sasl section and enable it.  It should look similar to this:

Code: [Select]
[sasl]

enabled  = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
maxretry = 4

I think that will do it?  I tested the regex based on your log.  It should ban after 4 failed attempts against sasl.