EHCP Force Support > Feature Requests
Ability to add fail2ban and DKIM
(1/1)
colifato:
It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs
earnolmartin:
--- Quote from: colifato on November 04, 2014, 02:09:38 pm ---It would be possible to add a really robust fail2ban configuration that already comes in the default installation of EHCP FORCE and also integrate DKIM configuration to postfix?
Thanxs
--- End quote ---
Hi, yes it should be possible, but could you please provide a sample log illustrating what a normal entry looks like for whatever you're trying to log and ban?
colifato:
Give me 2 or 3 days to have the next dictionary-based attack and you copy the log.
regards
colifato:
Nov 11 15:46:42 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:43 server1 pop3d: LOGIN FAILED, user=plan, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:48 server1 pop3d: LOGIN FAILED, user=redes, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:53 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:54 server1 pop3d: LOGIN FAILED, user=afranco, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Disconnected, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: Connection, ip=[::ffff:200.32.69.26]
Nov 11 15:46:59 server1 pop3d: LOGIN FAILED, user=pgarcia, ip=[::ffff:200.32.69.26]
or
Jul 23 19:01:10 server1 postfix/smtpd[3583]: disconnect from 70-91-145-229-jax-fl.hfc.comcastbusiness.net[70.91.145.229]
Jul 23 19:01:20 server1 postfix/smtpd[3580]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:20 server1 postfix/smtpd[3580]: connect from unknown[93.152.59.168]
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:22 server1 postfix/smtpd[3580]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:24 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure
earnolmartin:
In /etc/fail2ban/jail.local find the sasl section and enable it. It should look similar to this:
--- Code: ---[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath = /var/log/mail.log
maxretry = 4
--- End code ---
I think that will do it? I tested the regex based on your log. It should ban after 4 failed attempts against sasl.
Navigation
[0] Message Index
Go to full version