Announcement

Collapse
No announcement yet.

Fail2Ban

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fail2Ban

    Fail2Ban should be installed as a part of Interworx and configurable via the GUI.

    I was able to modify the default jail.local (DO NOT MODIFY JAIL.CONF) to accommodate different paths on my system.

    I have a default bantime of 2592000. Keep them out for a month.

    Make sure you put IP blocks that you'll be administering from as to prevent yourself from getting locked out in the ignoreip field.

    Here are my relevant sections:
    Code:
    [ssh-iptables]
    
    enabled  = true
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=root, sender=admin@domain.net, sendername="Fail2Ban"]
               complain[logpath=/var/log/secure]
    logpath  = /var/log/secure
    maxretry = 5
    
    
    [proftpd-iptables]
    
    
    enabled  = false
    filter   = proftpd
    action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
               sendmail-whois[name=ProFTPD, dest=admin@domain.net]
               complain[logpath=/var/log/proftpd/auth.log]
    logpath  = /var/log/proftpd/auth.log
    maxretry = 6
    
    # password-fail
    [password-fail]
    enabled  = true
    filter   = password-fail
    action   = iptables[name=SMTP, port=smtp, protocol=tcp]
               sendmail-whois[name=SMTP, dest=admin@domain.net]
               complain[logpath=/var/log/maillog]
    logpath  = /var/log/maillog
    maxretry = 3
    findtime = 3600
    
    
    # username-notfound
    [username-notfound]
    enabled  = true
    filter   = username-notfound
    action   = iptables[name=SMTP, port=smtp, protocol=tcp]
               sendmail-whois[name=SMTP, dest=admin@domain.net]
               complain[logpath=/var/log/maillog]
    logpath  = /var/log/maillog
    maxretry = 3
    findtime = 3600
    
    
    # dos-hosts - Hosts insisting on delivering spam
    [dos-hosts]
    enabled  = true
    filter   = dos-hosts
    action   = iptables[name=SMTP, port=smtp, protocol=tcp]
               sendmail-whois[name=SMTP, dest=admin@domain.net]
               complain[logpath=/var/log/smtp/current]
    logpath  = /var/log/smtp/current
    maxretry = 5
    findtime = 3600
    
    # vpopmail
    [vpopmail]
    enabled  = true
    port     = pop3
    filter   = vpopmail
    action   = iptables[name=pop3, port=pop3, protocol=tcp]
               sendmail-whois[name=pop3, dest=admin@domain.net]
               complain[logpath=/var/log/maillog]
    logpath  = /var/log/maillog
    maxretry = 3
    bantime  = -1


    I added a complainer as I want all of these guys' abuse contacts to know about the problems their users are causing. Maybe they'll do something about it, maybe they won't. Either way, it's a little effort on my behalf to help clean up the Internet. Make sure to edit /etc/fail2ban/action.d/complain.conf as appropriate. Making sure the last line says:

    Code:
    mailargs = -c admin@domain.net -- -f admin@domain.net
    This is to CC your admin account on the outbound notices and to say it is from your admin account.

    You also need to specify the rules that it uses to determine a failure. Create these files with your favorite editor:
    /etc/fail2ban/filter.d/password-fail.conf
    Code:
    [Definition]#Looks for failed password logins to SMTP
    failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
    ignoreregex =
    /etc/fail2ban/filter.d/username-notfound.conf
    Code:
    [Definition]# Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # The host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
    
    
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    ignoreregex =
    /etc/fail2ban/filter.d/dos-hosts.conf
    Code:
    [Definition]failregex = rblsmtpd: <HOST> .*: 451 Blocked
         CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to r$
         CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
     .* rblsmtpd: <HOST>
    /etc/fail2ban/filter.d/vpopmail.conf
    Code:
    # Fail2Ban configuration file# Author: Christoph Haas
    # Modified by: Ole Johansen - CDS
    # $Revision: 510 $
    
    
    [Definition]
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # The host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    
    
    failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
    
    
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    
    
    ignoreregex =
    Most of this was stolen from QMail Toaster. Other parts were done by me. I don't think I have anyone else to credit... maybe Google.
    Last edited by johan_hammy; 11-30-2014, 01:11 PM. Reason: Trying to clean up some ugliness and sanitation

  • #2
    Well now doesn't that look fantastic....

    Comment


    • #3
      Hi Johan-hammy

      Thanks for sharing, and once our current test is over, I may redo a fresh test instal and check it out.

      Many thanks

      John

      Comment


      • #4
        Is anyone else experiencing a strange output on the page?

        Click image for larger version

Name:	Screen Shot 2014-12-06 at 6.26.06 PM.jpg
Views:	1
Size:	49.3 KB
ID:	40527

        Comment


        • #5
          Yeah, highlight it and copy into a notepad mate.
          Michael Dance
          Licensecart Certified Distribution for Blesta, Interworx, KernelCare, CraftSRV, Softaculous, SolusVM, LiteSpeed & SSLs.
          Free Softaculous & 50% off KernelCare with every InterWorx license bought with us. We pride ourselves by being the cheapest External provider.
          Need Help? Check out the InterWorx FAQs or check out our Knowledgebase. In the InterWorx family, you're never alone!

          Comment


          • #6
            Originally posted by uncloudedweb View Post
            Is anyone else experiencing a strange output on the page?

            [ATTACH]369[/ATTACH]
            I spent some time trying to straighten it out trying different methods of quotation. *shrugs* I gave up after about four or five tries.

            Comment


            • #7
              Hi johan_hammy

              I hope you don't mind and I tried reading your post but just can't understand it sorry. I appreciate it's likely to be the forum which has squeezed it.

              If you have time, please could you post as text and not pic, but cannot guarantee that I could help though, sorry.

              Many thanks

              John

              Comment


              • #8
                Originally posted by d2d4j View Post
                Hi johan_hammy

                I hope you don't mind and I tried reading your post but just can't understand it sorry. I appreciate it's likely to be the forum which has squeezed it.

                If you have time, please could you post as text and not pic, but cannot guarantee that I could help though, sorry.

                Many thanks

                John
                I did post text, but the forum software spewed all over it.

                Comment

                Working...
                X