Hi, One of my mail servers is running Oracle Linux 7 (a RHEL clone like CentOS). These last days it's been under heavy attack, and Postfix was brought to its knees a few times.
Up until now I only used Fail2ban to protect SSH, which I did in a strikingly simple configuration, by creating the following /etc/fail2ban/jail.d/sshd.local file: # /etc/fail2ban/jail.d/sshd.local [DEFAULT] bantime = 86400 ignoreip = 88.161.127.222 163.172.81.8 [sshd] enabled = true The two 'ignoreip' addresses are my home workstation and my remote backup server, BTW. I wanted to have something similar for Postfix. I tried to make sense out of the documentation and various HOWTOs. After some experimenting, I simply added the following configuration to /etc/fail2ban/jail.d/postfix.local: # /etc/fail2ban/jail.d/postfix.local [DEFAULT] bantime = 86400 [postfix] enabled = true mode = extra And I restarted Fail2ban (sudo systemctl restart fail2ban). It looks like the configuration works, since my attackers have now been identified and banned: $ sudo fail2ban-client status postfix Status for the jail: postfix |- Filter | |- Currently failed: 8 | |- Total failed: 22 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 8 |- Total banned: 8 `- Banned IP list: 45.148.10.190 212.70.149.55 91.191.209.164 91.191.209.166 109.237.103.13 87.246.7.227 91.191.209.130 45.227.253.11 My question: any advice from the Fail2ban gurus around here? Does the syntax look orthodox? Does it seem OK? Spot any no-nos ? Cheers from the rainy South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
