Is you SSH on a standard port?
On 12/14/2011 12:23 PM, Casey Price wrote:
Great work guys. I just implemented this on a few of my servers (just
using the dos-hosts, sshd, vpopmail, and username-notfound rules at
the moment).
One quick question though, by default the SSH rule sends an email
alert when an IP address is blocked and it runs a whois query against
that IP (kind of a nice little feature, especially if you want to get
in touch with the network admins for the network to alert them of
malicious activity) - while this is a nice feature, it can lead to
quite a few emails throughout the day (especially if you are running
it on multiple servers)...anyone know if a way to setup some sort of
"digest" that would send an email once per day per server (or for all
servers for that matter) that would have a summary of the IPs that
were blocked, and how to get in touch with the owners?
On a side note, one thing I also noticed is that throughout the day
I'll get a few emails stating that the pop3 & ssh jails were stopped
and then another that they were started. I know this happens when you
start and stop the fail2ban-client or iptables, but why would it be
stopping those jails on its own? Its not really hurting anything (that
I'm aware of), but its more of an annoyance.
Thanks,
Casey Price
Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com <http://www.smileglobal.com>
Follow us on Twitter <https://twitter.com/#%21/SmileInternet>
Like us on Facebook <https://www.facebook.com/smileglobal>
On 12/9/11 1:01 AM, Pak Ogah wrote:
On 12/09/11 14:44, Domenico Fortunato wrote:
You can configure fail2ban for Squirrelmail login attempts if you
install the squirrel_logger plugin into Squirrelmail.
Tune up the configuration files:
in my /etc/fail2ban/jail.conf
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail,dest=root,
sender=fail2...@example.it]
logpath = /var/log/squirrelmail.log
maxretry = 5
Also, the squirrelmail.conf:
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o
password errata
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
*Warning:* the failregex value must match the line written in
squirrelmail.log (it's in italian language for me :-) )
For more info search for "squirrelmail fail2ban" in your preferred
search engine.
I hope it help.
Domenico Fortunato.
added to http://wiki.qmailtoaster.com/index.php/Fail2Ban
while tidying it up,
please check it again to make sure your rule is correctly written
--
Cecil Yother, Jr. "cj"
cj's
2318 Clement Ave
Alameda, CA 94501
tel 510.865.2787 | http://yother.com
Check out the new Volvo classified resource http://www.volvoclassified.com