Re: [qmailtoaster] Fail2Ban

[Finn Buhelt]

Hi Dan.

I'm having same attempts - these days it escalates.

They get a 'tcpserver: end 28341 status 256' in the submission log
because of vpopmail refusal (I think) so I catch them in the maillog
file. (Now I come to think of it one should catch all status 256's and
ban them !)


I using Fail2ban version 0.8.11 - the latest is 0.9.1 as I recall, but
there has been some changes to the settings so I'm still planning to do
some testing.

Fail2ban is pretty straight forward to install - there is a lot of
filters and actions implemented - making Your own filters is doable if
You know regex (python based).

(I'm also using fail2ban to 'protect' my webservers against attempts of
different kinds) - it's not foolproof and the only safety precausion
ofcourse but it blocks these irritating ressource demanding intrusion
attempts effectively - when they change IP to another country - in my
case - 3 strikes and You're out 172800 sec's in my setup no matter the
IP address.


I'm not an expert but let me know if You have questions and I will
answer if I can.


This is my entry in jail.conf for this specifically

[vpopmail]
enabled = true
filter = vpopmail
action = iptables-allports[name=vpopmail, protocol=tcp]
         sendmail-whois[name=vpopmail, lines=1, dest=x...@yy.com]
logpath = /var/log/maillog
maxretry = 3
findtime = 3600
bantime = 172800

This is my filter in filter.d/vpopmail.conf

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
            vchkpw-submission: vpopmail user not found .*:<HOST>$
            vchkpw-pop3: vpopmail user not found .*:<HOST>$



# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =



This is one of the catches ;-)

The IP 218.76.158.162 has just been banned by Fail2Ban after
3 attempts against vpopmail.


Here are more information about 218.76.158.162:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '218.76.144.0 - 218.76.159.255'

inetnum:        218.76.144.0 - 218.76.159.255
netname:        CHINANET-HN-CZ
country:        CN
descr:          CHINANET-HN Chenzhou node network
descr:          hunan Telecom
admin-c:        CHC16-AP
tech-c:         CH636-AP
status:         ALLOCATED NON-PORTABLE
changed:        ipaddr...@hntelecom.net.cn 20050914
mnt-by:         MAINT-CHINANET-HN
mnt-lower:      MAINT-CHINANET-HN-CZ
source:         APNIC

role:           CHINANET HUNAN
address:        No.1 TuanJie road,ChangSha,Hunan 410005
country:        CN
phone:          +86 731 4792092
fax-no:         +86 731 4792007
e-mail:         abuse....@2118.com.cn
remarks:        send spam reports to abuse....@2118.com.cn
remarks:        and abuse reports to abuse....@2118.com.cn
remarks:        Please include detailed information and
remarks:        times in UTC
admin-c:        CH632-AP
tech-c:         CS499-AP
nic-hdl:        CH636-AP
mnt-by:         MAINT-CHINANET-HN
changed:        ipaddr...@hntelecom.net.cn 20050816
changed:        hm-chan...@apnic.net 20111114
source:         APNIC

role:           CHINANET HuNan Chenzhou
address:        No.10 Renming East road,Chenzhou Hunan 423000
country:        CN
phone:          +86 735 2962319
fax-no:         +86 735 2262119
e-mail:         abuse...@2118.com.cn
remarks:        send spam reports to spam...@2118.com.cn
remarks:        and abuse reports to abuse...@2118.com.cn
remarks:        Please include detailed information and
remarks:        times in UTC
admin-c:        CZ347-AP
tech-c:         CZ347-AP
nic-hdl:        CHC16-AP
notify:         ipaddr...@hntelecom.net.cn
mnt-by:         MAINT-CHINANET-HN-CZ
changed:        ipaddr...@hntelecom.net.cn 20050818
source:         APNIC
changed:        hm-chan...@apnic.net 20111114

% This query was served by the APNIC Whois Service version
1.69.1-APNICv1r0 (WHOIS3)

Regards,

Fail2Ban



Cheers,
Finn



Den 07-08-2014 kl. 00:09 skrev Dan McAllister:
> I am curious -- has anyone looked into a fail2ban implementation for QMT
> 
> One of my larger mail servers is being attacked (from China, currently,
> but when it started in Malaysia and I blocked all malaysian IPs, they
> just moved to another IP) with essentially a brute-force password
> guessing attack on users in one of the domains.
> 
> They are using the SUBMISSION port to attempt logins, but I'd like to be
> able to ban SUBMISSION as well as IMAP/POP access (independently, or
> together) based on failed login attempts. (Ideally, same IP fail to
> login on any of those ports more than 5 times in a 5 minute period, and
> I'd like to simply tar-pit the entire IP address for 24 hours or so!)
> 
> I'm (as amazing as it sounds) not all that familiar with fail2ban, but
> I've considered it several times and just never had the time to
> investigate.
> 
> Assistance and experiences equally desired! :)
> 
> Dan McAllister
> QMT DNS/Mirror Admin
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com