Hi.
<HOST> matches either the Ip address or the hostname
Cheers
Finn
On 08-03-2011 09:04, Digital Instruments wrote:
Nice, that's great! :)
Just a little question: I don't get this <HOST> (I've also read the
wiki but it's not clear)
can you do an example, please?
Thanks,
Cheers!
Il 05/03/2011 23:26, Sergio M ha scritto:
Eric Shubert escribió:
Timing is good on this. :)
http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&action=edit
Have at it. I've added a link to this page under the Configuration->
Security section. It's a start (albeit not much of one).
Hey guys, I created a basic article, but have trouble with formatting.
Can anyone take a look at it? this is how I meant it to look ;-)
== '''Basic fail2ban installation and setup''' ==
fail2ban homepage: http://www.fail2ban.org.
Please check [0] and [1] for more details.
----
== 1. Installation. ==
Enable the EPEL repos [1] and then 'yum install fail2ban'
== 2. Setup: ==
To work with Qmail/vpopmail, a filter and jail should be defined.
'''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
'''b.''' # mcedit /etc/fail2ban/jail.conf (add this)
[vpopmail-fail]
enabled = true
filter = vpopmail-fail
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 1
bantime = 604800
findtime = 3600
'''c. Test the filter file:'''
# fail2ban-regex /var/log/maillog
/etc/fail2ban/filter.d/vpopmail-fail.conf
Returns something like this, with n matches for the regex or 0 if no
matches:
Failregex
|- Regular expressions:
| [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
|
`- Number of matches:
[1] 123 match(es)
'''d. Reload config:'''
# fail2ban-client stop/start
'''e. Check the status of a jail:'''
# fail2ban-client status vpopmail-fail
Status for the jail: vpopmail-fail
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 7
| `- Total failed: 225
`- action
|- Currently banned: 109
| `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...)
187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
`- Total banned: 109
'''NOTE:''' Once its starts running and the logs have matching
strings, it will create iptables rules dropping that IP. But... when
fail2ban reload and/or iptables restart and/or rebooting and/or the
weekly logrotate, those rules are gone. bye bye!
So... what to do?
- Before changes, do a '# service iptables save' and it will write
them to a file, and after any change do '# service iptables restart'
to make it load the saved set of rules;
- Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3].
== 3.A little basic admin stuff ==
'''a. Check banned IPs:'''
- by fail2ban:# fail2ban-client status vpopmail-fail
- current iptables rules: # iptables -L -nv
- To see IPs that fail2ban is saving for the next reload:
# cat /etc/fail2ban/ip.deny
'''b. How to unblock an IP:'''
1) Delete it from the current iptables rules:
# iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
2) remove it from /etc/fail2ban/ip.deny (maybe listed several times).
3) remove it from /etc/sysconfig/iptables (maybe listed several times).
----
== 4. References: ==
[0]
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
[1]
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
------------------------------------------------------------------------
Nessun virus nel messaggio.
Controllato da AVG - www.avg.com <http://www.avg.com>
Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di
rilascio: 03/03/2011
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com) Vickers Consulting Group offers
Qmailtoaster support and installations. If you need professional help
with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and
packages. To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com