[qmailtoaster] Fail2ban and vpopmail

Wed, 02 Mar 2011 05:32:00 -0800

[from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ]
As I said, being under SMTP attack I installed fail2ban and created a set of rules like: 

*** jail.conf ***
(...)
[vpopmail]
enabled = true

port = pop3  
filter = vpopmail

action = iptables[name=pop3, port=pop3, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 604800
findtime = 3600

[vpopmail-fail]
enabled  = true
filter   = vpopmail-fail
action   = iptables[name=SMTP, port=25, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 2
bantime  = 604800
findtime = 3600

*** vpopmail-fail.conf ***
[Definition]
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>

ignoreregex =

*** vpopmail.conf ***
[Definition]
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
ignoreregex =

Setup being said, I get lots of hits for the vpopmail-fail jail:
# fail2ban-client status vpopmail-fail
Status for the jail: vpopmail-fail
|- filter
|  |- File list:        /var/log/maillog
|  |- Currently failed: 7
|  `- Total failed:     225
`- action
  |- Currently banned: 109

  |  `- IP list:       200.207.49.13 84.79.73.123 187.35.209.243 (...) 
187.6.106.201 187.63.80.134  187.52.195.234 187.4.200.17

  `- Total banned:     109


Not surprisingly, many of them are brazilian IPs.

However, check this out:
# date
Wed Mar  2 10:27:09 ART 2011
tail /var/log/qmail/smtp/current -F | tai64nlocal
2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0
2011-03-02 10:22:49.480691500 tcpserver: status: 24/25
2011-03-02 10:22:49.480714500 tcpserver: status: 25/25
2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17

2011-03-02 10:22:49.481000500 tcpserver: ok 15808 
mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220

2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0
2011-03-02 10:26:29.551473500 tcpserver: status: 24/25
2011-03-02 10:26:29.551502500 tcpserver: status: 25/25
2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84

2011-03-02 10:26:29.631488500 tcpserver: ok 16348 
mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586


Look at the speed of my smtp session log!! Like 2 entries in 4 minutes!

I tried qmailctl stop/start several times, and no msgs in queue (checked 
with qmHandle -l)


Without fail2ban, it kept at 25 of 25 but just keep flowing.

Any ideas?


Thanks!
-Sergio

---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.

    
     To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
























					Reply via email to