On 16/05/2021 10:55, Nicolas Kovacs wrote:
Hi,
One of my mail servers is running Oracle Linux 7 (a RHEL clone like CentOS).
These last days it's been under heavy attack, and Postfix was brought to its
knees a few times.
Up until now I only used Fail2ban to protect SSH, which I did in a strikingly
simple configuration, by creating the following /etc/fail2ban/jail.d/sshd.local
file:
# /etc/fail2ban/jail.d/sshd.local
[DEFAULT]
bantime = 86400
ignoreip = 88.161.127.222 163.172.81.8
[sshd]
enabled = true
The two 'ignoreip' addresses are my home workstation and my remote backup
server, BTW.
I wanted to have something similar for Postfix. I tried to make sense out of
the documentation and various HOWTOs. After some experimenting, I simply added
the following configuration to /etc/fail2ban/jail.d/postfix.local:
# /etc/fail2ban/jail.d/postfix.local
[DEFAULT]
bantime = 86400
[postfix]
enabled = true
mode = extra
And I restarted Fail2ban (sudo systemctl restart fail2ban).
It looks like the configuration works, since my attackers have now been
identified and banned:
$ sudo fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 8
| |- Total failed: 22
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 8
|- Total banned: 8
`- Banned IP list: 45.148.10.190 212.70.149.55 91.191.209.164
91.191.209.166 109.237.103.13 87.246.7.227 91.191.209.130 45.227.253.11
My question: any advice from the Fail2ban gurus around here? Does the syntax
look orthodox? Does it seem OK? Spot any no-nos ?
I think it's more normal to add sections enabling bans etc to jail.local
not as separate files in jail.d, but your choice.
You don't say which version of fail2ban you are using (to find out:
fail2ban-client --version). The latest version of the postfix filter is
at
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/postfix.conf,
you might want to try this (save it as
/etc/fail2ban/filter.d/postfix.local), though if your version of
fail2ban is earlier than 0.10 it is possible it won't work.
My [postfix] entry in jail.local looks something like this:
[postfix]
enabled = true
mode = aggressive
bantime = 3h5m
findtime = 3h5m
port = pop3,pop3s,imap,imaps,submission,465,sieve,smtp
maxretry = 3
ignoreip = %(common_ignoreip)s %(externaltest_ip)s %(welcomelist)s
Note: I have defined common_ignoreip, externaltest_ip and welcomelist in
the [DEFAULT] section.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
