Hi,
I have a problem with fail2ban. I take this howto: http://wiki.i-mscp.net/doku.php?id=start:howto:fail2ban for installing fail2ban.
The problem is that it does not work with mail servers. Fail2ban recognizes the IPs and passes it to iptables on. But that's about it. If the same IP connects again, I get an already banned. The requests are still allowed through. This is only for mail that way. FTP, SSH, etc. function properly.
I doens´t use dovecot so I configure sasl. Here my logs:
mail.log
fail2ban.log
iptables -L
jail.local
Code
- # Fail2Ban configuration file.## This file was composed for Debian systems from the original one# provided now under /usr/share/doc/fail2ban/examples/jail.conf# for additional examples.## Author: Yaroslav O. Halchenko <debian@onerussian.com>## $Revision$## The DEFAULT allows a global definition of the options. They can be overridden# in each jail afterwards.[DEFAULT]# "ignoreip" can be an IP address, a CIDR mask or a DNS hostignoreip = 127.0.0.1/8findtime = 600bantime = 6000maxretry = 3# "backend" specifies the backend used to get files modification. Available# options are "gamin", "polling" and "auto".# yoh: For some reason Debian shipped python-gamin didn't work as expected# This issue left ToDo, so polling is default backend for nowbackend = auto## Destination email address used solely for the interpolations in# jail.{conf,local} configuration files.destemail = root@localhost## ACTIONS## Default banning action (e.g. iptables, iptables-new,# iptables-multiport, shorewall, etc) It is used to define# action_* variables. Can be overridden globally or per# section within jail.local filebanaction = iptables-multiport# email action. Since 0.8.1 upstream fail2ban uses sendmail# MTA for the mailing. Change mta configuration parameter to mail# if you want to revert to conventional 'mail'.mta = sendmail# Default protocolprotocol = tcp# Specify chain where jumps would need to be added in iptables-* actionschain = INPUT## Action shortcuts. To be used to define action parameter# The simplest action to take: ban onlyaction_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report to the destemail.action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report and relevant log lines# to the destemail.action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]# Choose default action. To change, just override value of 'action' with the# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local# globally (section [DEFAULT]) or per specific sectionaction = %(action_)s## JAILS#[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6[ssh-ddos]enabled = trueport = sshfilter = sshd-ddoslogpath = /var/log/auth.logmaxretry = 6## HTTP servers i-MSCP customer sites#[apache]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/users/*error.logmaxretry = 6# default action is now multiport, so apache-multiport jail was left# for compatibility with previous (<0.7.6-2) releases[apache-multiport]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/users/*error.logmaxretry = 6[apache-noscript]enabled = trueport = http,httpsfilter = apache-noscriptlogpath = /var/log/apache2/users/*error.logmaxretry = 6[apache-overflows]enabled = trueport = http,httpsfilter = apache-overflowslogpath = /var/log/apache2/users/*error.logmaxretry = 2## HTTP servers i-MSCP Control Panel#[imscp]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/*error.logmaxretry = 6# default action is now multiport, so apache-multiport jail was left# for compatibility with previous (<0.7.6-2) releases[imscp-multiport]enabled = trueport = http,httpsfilter = apache-authlogpath = /var/log/apache2/*error.logmaxretry = 6[imscp-noscript]enabled = trueport = http,httpsfilter = apache-noscriptlogpath = /var/log/apache2/*error.logmaxretry = 6[imscp-overflows]enabled = trueport = http,httpsfilter = apache-overflowslogpath = /var/log/apache2/*error.logmaxretry = 2## FTP servers#[proftpd]enabled = trueport = ftp,ftp-data,ftps,ftps-datafilter = proftpdlogpath = /var/log/auth.logmaxretry = 6## Mail servers### Mail servers authenticators: might be used for smtp,pop3,imap servers, so# all relevant ports get banned#[dovecot]enabled = falseport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = dovecotlogpath = /var/log/mail.logmaxretry = 3[sasl]enabled = trueport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = saslmaxretry = 2bantime = 36000[roundcube]enabled = trueport = http,httpsfilter = roundcubelogpath = /var/www/imscp/gui/public/tools/webmail/logs/errorsmaxretry = 6
sasl.conf
Code
- # Fail2Ban configuration file
- #
- # Author: Yaroslav Halchenko
- #
- # $Revision: 728 $
- #
- [Definition]
- # Option: failregex
- # Notes.: regex to match the password failures messages in the logfile. The
- # host must be matched by a group named "host". The tag "<HOST>" can
- # be used for standard IP/hostname matching and is only an alias for
- # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
- # Values: TEXT
- #
- failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL LOGIN authentication failed
- (?i): warning: [-._\w]+\[<HOST>\]: SASL CRAM-MD5 authentication failed
- (?i): warning: [-._\w]+\[<HOST>\]: SASL PLAIN authentication failed
- # Option: ignoreregex
- # Notes.: regex to ignore. If this regex matches, the line is ignored.
- # Values: TEXT
- #
somebody has an idea? Thanks