Nice, easier than mine.
On 6/3/2020 6:27 PM, Gary Bowling wrote:
Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
before = common.conf
# vi /etc/fail2ban/filter.d/vpopmail.conf:
[Definition]
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$
vchkpw-submission: vpopmail user not found .*:<HOST>$
vchkpw-smtp: password fail .*:<HOST>$
vchkpw-submission: password fail .*:<HOST>$
ignoreregex =
In my jail.local, I have the following for my vpopmail config.
[vpopmail]
enabled = true
filter = vpopmail
port = pop3,pop3s,imap,imaps,submission,465
logpath = /var/log/maillog
maxretry = 4
findtime = 86400 ; 1 day
bantime = 10800 ; 3 hours
On 6/3/2020 7:53 PM, Eric Broch wrote:
can you share your vpopmail rules for fail2ban, config and regex?
On 6/3/2020 5:48 PM, Gary Bowling wrote:
FYI in case someone else can use this info.
In my recent review of my server and trying to tighten up security.
I noticed that there were a number of IPs that showed up regularly
in my fail2ban firewall rules. I have a fail2ban jail for vpopmail
that looks at failed login attempts and blocks their IP addresses in
iptables.
One IP address in particular would attack my server, get banned by
fail2ban, and when the bantime was up, the same IP would start
attacking again, and the loop would continue.
In order to try to do something about these bots, I first looked at
the "recidive" jail that is included with more recent versions of
fail2ban.
The recidive jail was created just for this problem. However
recidive just adds an additional jail time for a repeat offender.
So, for instance a 4 hour jail time might get increased to 1 week.
But after a week it starts over.
In searching I found this article, which describes what I think is a
better approach to the issue.
https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
This article describes how to build a series of increased jail times
for a habitual offender. Eventually culminating in a year jail time.
Thanks, Gary
--
____________________
Gary Bowling
The Moderns on Spotify
<https://distrokid.com/hyperfollow/themoderns/bbrs>
____________________
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com