On 3/8/2011 11:18 AM, Pak Ogah wrote:
On 07-Mar-11 21:49, Eric Shubert wrote:
Great job, Pak.
Thanks, Toma.
Pak, will you get this incorporated into the wiki?
TIA.
Ok Eric, it's done but since I just copy-paste as is and
re-formatting, I didn't know what that fail2ban meaning (I haven't
tried it also)
but, I saw something weird. So I would like to ask Sergio, Toma and
other who understand fail2ban
@Sergio,
you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf
but the regex is searching for vchkpw-smtp: password fail ([^)]*)
[^@]*@[^:]*:<HOST>
and how come on action you blocking smtp port rather then pop3 port
action = iptables[name=SMTP, port=smtp, protocol=tcp]
@Toma,
I have change
logpath = /your/path/to/pop3/logs
into
logpath = /var/log/maillog
because that is the log where I can find error "vpopmail user not
found" on qmt system
btw I have change
action = shorewall
into
action = iptables[name=SMTP, port=smtp, protocol=tcp]
and the question also same, why did you block smtp port for error in
pop3 log
I think we need standardize fail2ban rules for QMT
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and
installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
Hello,
If your system have shorewall as firewall solution management
we get 'action' statement from /etc/fail2ban/jail.conf
-------------------
[qmail-pop3]
enable = true
filter = qmail-pop3
action = shorewall
sendmail[name="Qmail Pop3 user fail",
dest=y...@yourdomain.com]
logpath = /path/to/logfile
maxretry = 3
bantime = 600
-----------------------
now action refer to a file from
/etc/fail2ban/action.d
shorewall.conf ( as shorewall from action line above )
and
sendmail.conf ( as sendmail from action line above )
where we have:
shorewall.conf
---------------
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = shorewall drop <ip>
actionunban = shorewall allow <ip>
-------------
and
sendmail.conf
---------------------------------------
[Definition]
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actioncheck =
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionunban = printf %%b "Subject: [Fail2Ban] <name>: unbanned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been unbanned by Fail2Ban
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>
[Init]
name = default
dest = root
sender = fail2ban
-------------------------------------------------
when used with shorewall the <HOST> is passet to shorewall as "shorewall
drop <ip>" and the ip will be droped ( there is no use of port or protocol )
i never user iptables action on fail2ban, sorry, i have to do some tests...