Nice, that's great! :)
Just a little question: I don't get this <HOST> (I've also read the wiki but it's not clear)

can you do an example, please?


Il 05/03/2011 23:26, Sergio M ha scritto:
Eric Shubert escribió:
Timing is good on this. :)

Have at it. I've added a link to this page under the Configuration-> Security section. It's a start (albeit not much of one).

Hey guys, I created a basic article, but have trouble with formatting.
Can anyone take a look at it? this is how I meant it to look ;-)

== '''Basic fail2ban installation and setup''' ==

fail2ban homepage:
Please check [0] and [1] for more details.


== 1. Installation. ==

Enable the EPEL repos [1] and then 'yum install fail2ban'

== 2. Setup: ==

To work with Qmail/vpopmail, a filter and jail should be defined.
'''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf

#Looks for failed password logins to SMTP
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>

ignoreregex =

'''b.''' # mcedit /etc/fail2ban/jail.conf   (add this)

enabled  = true
filter   = vpopmail-fail
action   = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 1
bantime  = 604800
findtime = 3600

'''c. Test the filter file:'''
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf

Returns something like this, with n matches for the regex or 0 if no matches:

|- Regular expressions:
|  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
`- Number of matches:
  [1] 123 match(es)

'''d. Reload config:'''
# fail2ban-client stop/start

'''e. Check the status of a jail:'''

# fail2ban-client status vpopmail-fail

Status for the jail: vpopmail-fail
|- filter
|  |- File list:        /var/log/maillog
|  |- Currently failed: 7
|  `- Total failed:     225
`- action
  |- Currently banned: 109

| `- IP list: (...)

  `- Total banned:     109

'''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye!
So... what to do?

- Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules;
- Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3].

== 3.A little basic admin stuff ==

'''a. Check banned IPs:'''
- by fail2ban:# fail2ban-client status vpopmail-fail
- current iptables rules: # iptables -L -nv
- To see IPs that fail2ban is saving for the next reload:
# cat /etc/fail2ban/ip.deny

'''b. How to unblock an IP:'''
1) Delete it from the current iptables rules:
# iptables -D fail2ban-SMTP -s -j DROP
2) remove it from /etc/fail2ban/ip.deny (maybe listed several times).
3) remove it from /etc/sysconfig/iptables (maybe listed several times).


== 4. References: ==

[0] [1]


Nessun virus nel messaggio.
Controllato da AVG - <>
Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011

--------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group ( Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit for the latest news, updates, and packages. To unsubscribe, e-mail: For additional commands, e-mail:

Reply via email to