Ole,
I have attached the fail2ban.conf and the jail.conf file. I am running
the following:
*> uname -a*
Linux laetitia.area510.net 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:20:55
EDT 2009 i686 athlon i386 GNU/Linux
*> rpm -qa|grep release*
remi-release-5-4.el5.remi
centos-release-notes-5.4-4
rpmforge-release-0.3.6-1.el5.rf
epel-release-5-3
centos-release-5-4.el5.centos.1
Have a great weekend.
Cheers,
CJ
[email protected] wrote:
> You may send me the conf files directly to me.
> I need to know your OS and version.
>
> Currently running it for ssh, pop3, proftp on Centos 5
>
> But will be away for the weekend so you wont get any answers from before
> monday.
>
>
>> I too am getting similar errors and it has never worked for my qmail
>> installation. It works for Proftpd and ssh just fine. Although in this
>> snippet it shows a ProFTPD error too. Little or no info out there to
>> resolve this.
>>
>> 2009-10-30 09:01:02,004 fail2ban.actions.action: ERROR iptables -N
>> fail2ban-pop3
>> iptables -A fail2ban-pop3 -j RETURN
>> iptables -I INPUT -p tcp --dport pop3 -j fail2ban-pop3 returned 200
>> 2009-10-30 09:01:02,126 fail2ban.actions.action: ERROR iptables -N
>> fail2ban-QMAIL
>> iptables -A fail2ban-QMAIL -j RETURN
>> iptables -I INPUT -p tcp --dport smtp -j fail2ban-QMAIL returned 200
>> 2009-10-30 09:01:02,298 fail2ban.actions.action: ERROR iptables -N
>> fail2ban-ProFTPD
>> iptables -A fail2ban-ProFTPD -j RETURN
>> iptables -I INPUT -p tcp --dport ftp -j fail2ban-ProFTPD returned 100
>>
>>
>>
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.2 192.168.0.86
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], sender=fail2ban.ssh]
logpath = /var/log/secure
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected], sender=fail2ban.ftp]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[vpopmail]
enabled = true
port = pop3
filter = vpopmail
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmail-whois[name=pop3,[email protected], sender=fail2ban.pop3]
logpath = /var/log/maillog
maxretry = 3
bantime = -1
[qmail-iptables]
enabled = true
filter = qmail
action = iptables[name=QMAIL, port=smtp, protocol=tcp]
sendmail-whois[name=QMAIL, [email protected], sender=fail2ban.qmail]
logpath = /var/log/maillog
maxretry = 3
bantime = -1
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/mail.log
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected]]
ignoreregex = for myuser from
logpath = /var/log/sshd.log
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/httpd/error_log
# /home/www/myhomepage/error_log
maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, [email protected]]
logpath = /var/log/postfix.log
bantime = 300
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
# Same as above but with banning the IP address.
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, [email protected]]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1
# Use shorewall instead of iptables.
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, [email protected]]
logpath = /var/log/apache2/error_log
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", [email protected]]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
[named-refused-udp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, [email protected]]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, [email protected]]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
