Hi Dan.
I'm having same attempts - these days it escalates.
They get a 'tcpserver: end 28341 status 256' in the submission log
because of vpopmail refusal (I think) so I catch them in the maillog
file. (Now I come to think of it one should catch all status 256's and
ban them !)
I using Fail2ban version 0.8.11 - the latest is 0.9.1 as I recall, but
there has been some changes to the settings so I'm still planning to do
some testing.
Fail2ban is pretty straight forward to install - there is a lot of
filters and actions implemented - making Your own filters is doable if
You know regex (python based).
(I'm also using fail2ban to 'protect' my webservers against attempts of
different kinds) - it's not foolproof and the only safety precausion
ofcourse but it blocks these irritating ressource demanding intrusion
attempts effectively - when they change IP to another country - in my
case - 3 strikes and You're out 172800 sec's in my setup no matter the
IP address.
I'm not an expert but let me know if You have questions and I will
answer if I can.
This is my entry in jail.conf for this specifically
[vpopmail]
enabled = true
filter = vpopmail
action = iptables-allports[name=vpopmail, protocol=tcp]
sendmail-whois[name=vpopmail, lines=1, dest=x...@yy.com]
logpath = /var/log/maillog
maxretry = 3
findtime = 3600
bantime = 172800
This is my filter in filter.d/vpopmail.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
vchkpw-submission: vpopmail user not found .*:<HOST>$
vchkpw-pop3: vpopmail user not found .*:<HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
This is one of the catches ;-)
The IP 218.76.158.162 has just been banned by Fail2Ban after
3 attempts against vpopmail.
Here are more information about 218.76.158.162:
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '218.76.144.0 - 218.76.159.255'
inetnum: 218.76.144.0 - 218.76.159.255
netname: CHINANET-HN-CZ
country: CN
descr: CHINANET-HN Chenzhou node network
descr: hunan Telecom
admin-c: CHC16-AP
tech-c: CH636-AP
status: ALLOCATED NON-PORTABLE
changed: ipaddr...@hntelecom.net.cn 20050914
mnt-by: MAINT-CHINANET-HN
mnt-lower: MAINT-CHINANET-HN-CZ
source: APNIC
role: CHINANET HUNAN
address: No.1 TuanJie road,ChangSha,Hunan 410005
country: CN
phone: +86 731 4792092
fax-no: +86 731 4792007
e-mail: abuse....@2118.com.cn
remarks: send spam reports to abuse....@2118.com.cn
remarks: and abuse reports to abuse....@2118.com.cn
remarks: Please include detailed information and
remarks: times in UTC
admin-c: CH632-AP
tech-c: CS499-AP
nic-hdl: CH636-AP
mnt-by: MAINT-CHINANET-HN
changed: ipaddr...@hntelecom.net.cn 20050816
changed: hm-chan...@apnic.net 20111114
source: APNIC
role: CHINANET HuNan Chenzhou
address: No.10 Renming East road,Chenzhou Hunan 423000
country: CN
phone: +86 735 2962319
fax-no: +86 735 2262119
e-mail: abuse...@2118.com.cn
remarks: send spam reports to spam...@2118.com.cn
remarks: and abuse reports to abuse...@2118.com.cn
remarks: Please include detailed information and
remarks: times in UTC
admin-c: CZ347-AP
tech-c: CZ347-AP
nic-hdl: CHC16-AP
notify: ipaddr...@hntelecom.net.cn
mnt-by: MAINT-CHINANET-HN-CZ
changed: ipaddr...@hntelecom.net.cn 20050818
source: APNIC
changed: hm-chan...@apnic.net 20111114
% This query was served by the APNIC Whois Service version
1.69.1-APNICv1r0 (WHOIS3)
Regards,
Fail2Ban
Cheers,
Finn
Den 07-08-2014 kl. 00:09 skrev Dan McAllister:
> I am curious -- has anyone looked into a fail2ban implementation for QMT
>
> One of my larger mail servers is being attacked (from China, currently,
> but when it started in Malaysia and I blocked all malaysian IPs, they
> just moved to another IP) with essentially a brute-force password
> guessing attack on users in one of the domains.
>
> They are using the SUBMISSION port to attempt logins, but I'd like to be
> able to ban SUBMISSION as well as IMAP/POP access (independently, or
> together) based on failed login attempts. (Ideally, same IP fail to
> login on any of those ports more than 5 times in a 5 minute period, and
> I'd like to simply tar-pit the entire IP address for 24 hours or so!)
>
> I'm (as amazing as it sounds) not all that familiar with fail2ban, but
> I've considered it several times and just never had the time to
> investigate.
>
> Assistance and experiences equally desired! :)
>
> Dan McAllister
> QMT DNS/Mirror Admin
>
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
