Great work guys. I just implemented this on a few of my servers (just
using the dos-hosts, sshd, vpopmail, and username-notfound rules at the
moment).
One quick question though, by default the SSH rule sends an email alert
when an IP address is blocked and it runs a whois query against that IP
(kind of a nice little feature, especially if you want to get in touch
with the network admins for the network to alert them of malicious
activity) - while this is a nice feature, it can lead to quite a few
emails throughout the day (especially if you are running it on multiple
servers)...anyone know if a way to setup some sort of "digest" that
would send an email once per day per server (or for all servers for that
matter) that would have a summary of the IPs that were blocked, and how
to get in touch with the owners?
On a side note, one thing I also noticed is that throughout the day I'll
get a few emails stating that the pop3 & ssh jails were stopped and then
another that they were started. I know this happens when you start and
stop the fail2ban-client or iptables, but why would it be stopping those
jails on its own? Its not really hurting anything (that I'm aware of),
but its more of an annoyance.
Thanks,
Casey Price
Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com <http://www.smileglobal.com>
Follow us on Twitter <https://twitter.com/#%21/SmileInternet>
Like us on Facebook <https://www.facebook.com/smileglobal>
On 12/9/11 1:01 AM, Pak Ogah wrote:
On 12/09/11 14:44, Domenico Fortunato wrote:
You can configure fail2ban for Squirrelmail login attempts if you
install the squirrel_logger plugin into Squirrelmail.
Tune up the configuration files:
in my /etc/fail2ban/jail.conf
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail,dest=root,
sender=fail2...@example.it]
logpath = /var/log/squirrelmail.log
maxretry = 5
Also, the squirrelmail.conf:
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o
password errata
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
*Warning:* the failregex value must match the line written in
squirrelmail.log (it's in italian language for me :-) )
For more info search for "squirrelmail fail2ban" in your preferred
search engine.
I hope it help.
Domenico Fortunato.
added to http://wiki.qmailtoaster.com/index.php/Fail2Ban
while tidying it up,
please check it again to make sure your rule is correctly written