Fail2Ban

Fail2Ban should be installed as a part of Interworx and configurable via the GUI.

I was able to modify the default jail.local (DO NOT MODIFY JAIL.CONF) to accommodate different paths on my system.

I have a default bantime of 2592000. Keep them out for a month.

Make sure you put IP blocks that you’ll be administering from as to prevent yourself from getting locked out in the ignoreip field.

Here are my relevant sections:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=admin@domain.net, sendername="Fail2Ban"]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 5


[proftpd-iptables]


enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=admin@domain.net]
           complain[logpath=/var/log/proftpd/auth.log]
logpath  = /var/log/proftpd/auth.log
maxretry = 6

# password-fail
[password-fail]
enabled  = true
filter   = password-fail
action   = iptables[name=SMTP, port=smtp, protocol=tcp]
           sendmail-whois[name=SMTP, dest=admin@domain.net]
           complain[logpath=/var/log/maillog]
logpath  = /var/log/maillog
maxretry = 3
findtime = 3600


# username-notfound
[username-notfound]
enabled  = true
filter   = username-notfound
action   = iptables[name=SMTP, port=smtp, protocol=tcp]
           sendmail-whois[name=SMTP, dest=admin@domain.net]
           complain[logpath=/var/log/maillog]
logpath  = /var/log/maillog
maxretry = 3
findtime = 3600


# dos-hosts - Hosts insisting on delivering spam
[dos-hosts]
enabled  = true
filter   = dos-hosts
action   = iptables[name=SMTP, port=smtp, protocol=tcp]
           sendmail-whois[name=SMTP, dest=admin@domain.net]
           complain[logpath=/var/log/smtp/current]
logpath  = /var/log/smtp/current
maxretry = 5
findtime = 3600

# vpopmail
[vpopmail]
enabled  = true
port     = pop3
filter   = vpopmail
action   = iptables[name=pop3, port=pop3, protocol=tcp]
           sendmail-whois[name=pop3, dest=admin@domain.net]
           complain[logpath=/var/log/maillog]
logpath  = /var/log/maillog
maxretry = 3
bantime  = -1

I added a complainer as I want all of these guys’ abuse contacts to know about the problems their users are causing. Maybe they’ll do something about it, maybe they won’t. Either way, it’s a little effort on my behalf to help clean up the Internet. Make sure to edit /etc/fail2ban/action.d/complain.conf as appropriate. Making sure the last line says:

mailargs = -c admin@domain.net -- -f admin@domain.net

This is to CC your admin account on the outbound notices and to say it is from your admin account.

You also need to specify the rules that it uses to determine a failure. Create these files with your favorite editor:
/etc/fail2ban/filter.d/password-fail.conf

[Definition]#Looks for failed password logins to SMTP
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =

/etc/fail2ban/filter.d/username-notfound.conf

[Definition]# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# The host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

/etc/fail2ban/filter.d/dos-hosts.conf

[Definition]failregex = rblsmtpd: <HOST> .*: 451 Blocked
     CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to r$
     CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
 .* rblsmtpd: <HOST>

/etc/fail2ban/filter.d/vpopmail.conf

# Fail2Ban configuration file# Author: Christoph Haas
# Modified by: Ole Johansen - CDS
# $Revision: 510 $


[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# The host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT


failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT


ignoreregex =

Most of this was stolen from QMail Toaster. Other parts were done by me. I don’t think I have anyone else to credit… maybe Google.

Well now doesn’t that look fantastic…

Hi Johan-hammy

Thanks for sharing, and once our current test is over, I may redo a fresh test instal and check it out.

Many thanks

John

Is anyone else experiencing a strange output on the page?

Screen Shot 2014-12-06 at 6.26.06 PM.jpg693×468 49.3 KB

Yeah, highlight it and copy into a notepad mate.

[QUOTE=uncloudedweb;26711]Is anyone else experiencing a strange output on the page?

[/QUOTE]

I spent some time trying to straighten it out trying different methods of quotation. shrugs I gave up after about four or five tries.

Hi johan_hammy

I hope you don’t mind and I tried reading your post but just can’t understand it sorry. I appreciate it’s likely to be the forum which has squeezed it.

If you have time, please could you post as text and not pic, but cannot guarantee that I could help though, sorry.

Many thanks

John

[QUOTE=d2d4j;26715]Hi johan_hammy

I hope you don’t mind and I tried reading your post but just can’t understand it sorry. I appreciate it’s likely to be the forum which has squeezed it.

If you have time, please could you post as text and not pic, but cannot guarantee that I could help though, sorry.

Many thanks

John[/QUOTE]
I did post text, but the forum software spewed all over it.