<HOST> is an alias for a regular expression to find the ip address. Which is defined in the code.
Succes, Peter. > Nice, that's great! :) > Just a little question: I don't get this <HOST> (I've also read the wiki > but it's not clear) > > can you do an example, please? > > Thanks, > Cheers! > > Il 05/03/2011 23:26, Sergio M ha scritto: >> Eric Shubert escribió: >>> Timing is good on this. :) >>> >>> http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&action=edit >>> >>> Have at it. I've added a link to this page under the Configuration-> >>> Security section. It's a start (albeit not much of one). >>> >> Hey guys, I created a basic article, but have trouble with formatting. >> Can anyone take a look at it? this is how I meant it to look ;-) >> >> == '''Basic fail2ban installation and setup''' == >> >> >> fail2ban homepage: http://www.fail2ban.org. >> Please check [0] and [1] for more details. >> >> ---- >> >> == 1. Installation. == >> >> Enable the EPEL repos [1] and then 'yum install fail2ban' >> >> >> >> == 2. Setup: == >> >> To work with Qmail/vpopmail, a filter and jail should be defined. >> '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf >> >> [Definition] >> #Looks for failed password logins to SMTP >> failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> >> >> ignoreregex = >> >> '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) >> >> [vpopmail-fail] >> enabled = true >> filter = vpopmail-fail >> action = iptables[name=SMTP, port=smtp, protocol=tcp] >> logpath = /var/log/maillog >> maxretry = 1 >> bantime = 604800 >> findtime = 3600 >> >> '''c. Test the filter file:''' >> # fail2ban-regex /var/log/maillog >> /etc/fail2ban/filter.d/vpopmail-fail.conf >> >> Returns something like this, with n matches for the regex or 0 if no >> matches: >> >> Failregex >> |- Regular expressions: >> | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST> >> | >> `- Number of matches: >> [1] 123 match(es) >> >> >> '''d. Reload config:''' >> # fail2ban-client stop/start >> >> '''e. Check the status of a jail:''' >> >> # fail2ban-client status vpopmail-fail >> >> Status for the jail: vpopmail-fail >> |- filter >> | |- File list: /var/log/maillog >> | |- Currently failed: 7 >> | `- Total failed: 225 >> `- action >> |- Currently banned: 109 >> >> | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) >> 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 >> >> `- Total banned: 109 >> >> '''NOTE:''' Once its starts running and the logs have matching >> strings, it will create iptables rules dropping that IP. But... when >> fail2ban reload and/or iptables restart and/or rebooting and/or the >> weekly logrotate, those rules are gone. bye bye! >> So... what to do? >> >> - Before changes, do a '# service iptables save' and it will write >> them to a file, and after any change do '# service iptables restart' >> to make it load the saved set of rules; >> - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. >> >> >> == 3.A little basic admin stuff == >> >> '''a. Check banned IPs:''' >> - by fail2ban:# fail2ban-client status vpopmail-fail >> - current iptables rules: # iptables -L -nv >> - To see IPs that fail2ban is saving for the next reload: >> # cat /etc/fail2ban/ip.deny >> >> '''b. How to unblock an IP:''' >> 1) Delete it from the current iptables rules: >> # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP >> 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). >> 3) remove it from /etc/sysconfig/iptables (maybe listed several times). >> >> >> ---- >> >> >> == 4. References: == >> >> [0] >> http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html >> [1] >> http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html >> [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse >> [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ >> >> >> ------------------------------------------------------------------------ >> >> Nessun virus nel messaggio. >> Controllato da AVG - www.avg.com <http://www.avg.com> >> Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di >> rilascio: 03/03/2011 >> >> --------------------------------------------------------------------------------- >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) Vickers Consulting Group offers >> Qmailtoaster support and installations. If you need professional help >> with your setup, contact them today! >> --------------------------------------------------------------------------------- >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com For additional >> commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
