Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Remo Mattei 
If you are using chkuser the user not found should never get pass the initial 
smtp. 
Remo

> On Jun 3, 2020, at 22:34, Noriyuki Hayashi  wrote:
> 
> Hi
> 
> What about below?
> 
> [Definition]
> 
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> # Values: TEXT
> #
> failregex = vchkpw-pop3: vpopmail user not found .*@.*:$
>vchkpw-pop3: vpopmail user not found .*@:$
>vchkpw-pop3: vpopmail user not found .*@.*:..$
>vchkpw-pop3: vpopmail user not found .*@:..$
>vchkpw-smtp: vpopmail user not found .*@.*:$
>vchkpw-smtp: vpopmail user not found .*@:$
>vchkpw-smtp: vpopmail user not found .*@.*:..$
>vchkpw-smtp: vpopmail user not found .*@:..$
>vchkpw-submission: vpopmail user not found .*@.*:$
>vchkpw-submission: vpopmail user not found .*@:$
>vchkpw-submission: vpopmail user not found .*@.*:..$
>vchkpw-submission: vpopmail user not found .*@:..$
>vchkpw-submission: password fail (pass: '.*') .*@.*:$
>vchkpw-smtp: null password given [^:]*:
>vchkpw-submission: null password given [^:]*:
> 
> 
> Kind regards,
> Nori
> 
> 
> On Wed, 3 Jun 2020 18:14:01 -0700
> r...@mattei.org wrote:
> 
>> Nice work. I will take a look and try it out. 
>> 
>>> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling  ha 
>>> scritto:
>>> 
>>> ?
>>> 
>>> 
>>> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf 
>>> that is included with fail2ban. That should catch attempts on imap and 
>>> pop3, but I've never had it actually trap anything. So I'm guessing there 
>>> is something not quite right about it.
>>> 
>>> 
>>> 
>>> If you have something there that actually works, let me know.
>>> 
>>> 
>>> 
>>> Seems like most of the hacking on my server is trying to find smtp relays, 
>>> so maybe it's not a problem. Manually looking through the dovecot logs I 
>>> don't see a ton of attempts there. Nothing like the maillog where there 
>>> seems to be an endless list of bots hacking away. 
>>> 
>>> 
>>> 
>>> Gary
>>> 
>>> 
>>> 
 On 6/3/2020 8:37 PM, Eric Broch wrote:
 Nice, easier than mine.
 
 On 6/3/2020 6:27 PM, Gary Bowling wrote:
> 
> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
> 
> [INCLUDES]
> before = common.conf
> 
> # vi /etc/fail2ban/filter.d/vpopmail.conf:
> 
> [Definition]
> failregex = vchkpw-smtp: vpopmail user not found .*:$
>vchkpw-submission: vpopmail user not found .*:$
>vchkpw-smtp: password fail .*:$
>vchkpw-submission: password fail .*:$
> ignoreregex =
> 
> 
> 
> 
> 
> In my jail.local, I have the following for my vpopmail config. 
> 
> 
> 
> [vpopmail]
> enabled = true
> filter = vpopmail
> port= pop3,pop3s,imap,imaps,submission,465
> logpath = /var/log/maillog
> maxretry = 4
> findtime = 86400 ; 1 day
> bantime = 10800 ; 3 hours
> 
> 
> 
> 
> 
> On 6/3/2020 7:53 PM, Eric Broch wrote:
>> can you share your vpopmail rules for fail2ban, config and regex?
>> 
>> On 6/3/2020 5:48 PM, Gary Bowling wrote:
>>> 
>>> FYI in case someone else can use this info. 
>>> 
>>> In my recent review of my server and trying to tighten up security. I 
>>> noticed that there were a number of IPs that showed up regularly in my 
>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
>>> at failed login attempts and blocks their IP addresses in iptables. 
>>> 
>>> 
>>> 
>>> One IP address in particular would attack my server, get banned by 
>>> fail2ban, and when the bantime was up, the same IP  would start 
>>> attacking again, and the loop would continue. 
>>> 
>>> 
>>> 
>>> In order to try to do something about these bots, I first looked at the 
>>> "recidive" jail that is included with more recent versions of fail2ban. 
>>> 
>>> 
>>> 
>>> The recidive jail was created just for this problem. However recidive 
>>> just adds an additional jail time for a repeat offender. So, for 
>>> instance a 4 hour jail time might get increased to 1 week. But after a 
>>> week it starts over.
>>> 
>>> 
>>> 
>>> In searching I found this article, which describes what I think is a 
>>> better approach to the issue. 
>>> 
>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
>>> 
>>> 
>>> 
>>> This article describes how to build a series of increased jail times 
>>> for a habitual offender. Eventually culminating in a year jail time.
>>> 
>>> 
>>> 
>>> Thanks, Gary 
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> Gary Bowling
>>> The Moderns on Spotify 
>>>

Re[2]: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Noriyuki Hayashi 
Hi

What about below?

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*@.*:$
vchkpw-pop3: vpopmail user not found .*@:$
vchkpw-pop3: vpopmail user not found .*@.*:..$
vchkpw-pop3: vpopmail user not found .*@:..$
vchkpw-smtp: vpopmail user not found .*@.*:$
vchkpw-smtp: vpopmail user not found .*@:$
vchkpw-smtp: vpopmail user not found .*@.*:..$
vchkpw-smtp: vpopmail user not found .*@:..$
vchkpw-submission: vpopmail user not found .*@.*:$
vchkpw-submission: vpopmail user not found .*@:$
vchkpw-submission: vpopmail user not found .*@.*:..$
vchkpw-submission: vpopmail user not found .*@:..$
vchkpw-submission: password fail (pass: '.*') .*@.*:$
vchkpw-smtp: null password given [^:]*:
vchkpw-submission: null password given [^:]*:


Kind regards,
Nori


On Wed, 3 Jun 2020 18:14:01 -0700
r...@mattei.org wrote:

> Nice work. I will take a look and try it out. 
> 
> > Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling  ha 
> > scritto:
> > 
> > ?
> > 
> > 
> > It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf 
> > that is included with fail2ban. That should catch attempts on imap and 
> > pop3, but I've never had it actually trap anything. So I'm guessing there 
> > is something not quite right about it.
> > 
> > 
> > 
> > If you have something there that actually works, let me know.
> > 
> > 
> > 
> > Seems like most of the hacking on my server is trying to find smtp relays, 
> > so maybe it's not a problem. Manually looking through the dovecot logs I 
> > don't see a ton of attempts there. Nothing like the maillog where there 
> > seems to be an endless list of bots hacking away. 
> > 
> > 
> > 
> > Gary
> > 
> > 
> > 
> >> On 6/3/2020 8:37 PM, Eric Broch wrote:
> >> Nice, easier than mine.
> >> 
> >> On 6/3/2020 6:27 PM, Gary Bowling wrote:
> >>> 
> >>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
> >>> 
> >>> [INCLUDES]
> >>> before = common.conf
> >>> 
> >>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
> >>> 
> >>> [Definition]
> >>> failregex = vchkpw-smtp: vpopmail user not found .*:$
> >>> vchkpw-submission: vpopmail user not found .*:$
> >>> vchkpw-smtp: password fail .*:$
> >>> vchkpw-submission: password fail .*:$
> >>> ignoreregex =
> >>> 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> In my jail.local, I have the following for my vpopmail config. 
> >>> 
> >>> 
> >>> 
> >>> [vpopmail]
> >>> enabled = true
> >>> filter = vpopmail
> >>> port= pop3,pop3s,imap,imaps,submission,465
> >>> logpath = /var/log/maillog
> >>> maxretry = 4
> >>> findtime = 86400 ; 1 day
> >>> bantime = 10800 ; 3 hours
> >>> 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> On 6/3/2020 7:53 PM, Eric Broch wrote:
>  can you share your vpopmail rules for fail2ban, config and regex?
>  
>  On 6/3/2020 5:48 PM, Gary Bowling wrote:
> > 
> > FYI in case someone else can use this info. 
> > 
> > In my recent review of my server and trying to tighten up security. I 
> > noticed that there were a number of IPs that showed up regularly in my 
> > fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
> > at failed login attempts and blocks their IP addresses in iptables. 
> > 
> > 
> > 
> > One IP address in particular would attack my server, get banned by 
> > fail2ban, and when the bantime was up, the same IP  would start 
> > attacking again, and the loop would continue. 
> > 
> > 
> > 
> > In order to try to do something about these bots, I first looked at the 
> > "recidive" jail that is included with more recent versions of fail2ban. 
> > 
> > 
> > 
> > The recidive jail was created just for this problem. However recidive 
> > just adds an additional jail time for a repeat offender. So, for 
> > instance a 4 hour jail time might get increased to 1 week. But after a 
> > week it starts over.
> > 
> > 
> > 
> > In searching I found this article, which describes what I think is a 
> > better approach to the issue. 
> > 
> > https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
> > 
> > 
> > 
> > This article describes how to build a series of increased jail times 
> > for a habitual offender. Eventually culminating in a year jail time.
> > 
> > 
> > 
> > Thanks, Gary 
> > 
> > 
> > 
> > -- 
> > 
> > Gary Bowling
> > The Moderns on Spotify 
> > 
> > - 
> > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
> > For additional

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread remo 
Nice work. I will take a look and try it out. 

> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling  ha scritto:
> 
> 
> 
> 
> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf that 
> is included with fail2ban. That should catch attempts on imap and pop3, but 
> I've never had it actually trap anything. So I'm guessing there is something 
> not quite right about it.
> 
> 
> 
> If you have something there that actually works, let me know.
> 
> 
> 
> Seems like most of the hacking on my server is trying to find smtp relays, so 
> maybe it's not a problem. Manually looking through the dovecot logs I don't 
> see a ton of attempts there. Nothing like the maillog where there seems to be 
> an endless list of bots hacking away. 
> 
> 
> 
> Gary
> 
> 
> 
>> On 6/3/2020 8:37 PM, Eric Broch wrote:
>> Nice, easier than mine.
>> 
>> On 6/3/2020 6:27 PM, Gary Bowling wrote:
>>> 
>>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
>>> 
>>> [INCLUDES]
>>> before = common.conf
>>> 
>>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
>>> 
>>> [Definition]
>>> failregex = vchkpw-smtp: vpopmail user not found .*:$
>>> vchkpw-submission: vpopmail user not found .*:$
>>> vchkpw-smtp: password fail .*:$
>>> vchkpw-submission: password fail .*:$
>>> ignoreregex =
>>> 
>>> 
>>> 
>>> 
>>> 
>>> In my jail.local, I have the following for my vpopmail config. 
>>> 
>>> 
>>> 
>>> [vpopmail]
>>> enabled = true
>>> filter = vpopmail
>>> port= pop3,pop3s,imap,imaps,submission,465
>>> logpath = /var/log/maillog
>>> maxretry = 4
>>> findtime = 86400 ; 1 day
>>> bantime = 10800 ; 3 hours
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 6/3/2020 7:53 PM, Eric Broch wrote:
 can you share your vpopmail rules for fail2ban, config and regex?
 
 On 6/3/2020 5:48 PM, Gary Bowling wrote:
> 
> FYI in case someone else can use this info. 
> 
> In my recent review of my server and trying to tighten up security. I 
> noticed that there were a number of IPs that showed up regularly in my 
> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
> at failed login attempts and blocks their IP addresses in iptables. 
> 
> 
> 
> One IP address in particular would attack my server, get banned by 
> fail2ban, and when the bantime was up, the same IP  would start attacking 
> again, and the loop would continue. 
> 
> 
> 
> In order to try to do something about these bots, I first looked at the 
> "recidive" jail that is included with more recent versions of fail2ban. 
> 
> 
> 
> The recidive jail was created just for this problem. However recidive 
> just adds an additional jail time for a repeat offender. So, for instance 
> a 4 hour jail time might get increased to 1 week. But after a week it 
> starts over.
> 
> 
> 
> In searching I found this article, which describes what I think is a 
> better approach to the issue. 
> 
> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
> 
> 
> 
> This article describes how to build a series of increased jail times for 
> a habitual offender. Eventually culminating in a year jail time.
> 
> 
> 
> Thanks, Gary 
> 
> 
> 
> -- 
> 
> Gary Bowling
> The Moderns on Spotify 
> 
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> - To 
>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


It seems to work. I'm also using the
  /etc/fail2ban/filter.d/dovecot.conf that is included with
  fail2ban. That should catch attempts on imap and pop3, but I've
  never had it actually trap anything. So I'm guessing there is
  something not quite right about it.


If you have something there that actually works, let me know.


Seems like most of the hacking on my server is trying to find
  smtp relays, so maybe it's not a problem. Manually looking through
  the dovecot logs I don't see a ton of attempts there. Nothing like
  the maillog where there seems to be an endless list of bots
  hacking away. 



Gary



On 6/3/2020 8:37 PM, Eric Broch wrote:


  
  Nice, easier than mine.
  
  On 6/3/2020 6:27 PM, Gary Bowling
wrote:
  
  



Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found
  .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail
  config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch
  wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have
  a fail2ban jail for vpopmail that looks at failed login
  attempts and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same
  IP  would start attacking again, and the loop would
  continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem.
  However recidive just adds an additional jail time for a
  repeat offender. So, for instance a 4 hour jail time might
  get increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating
  in a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Eric Broch 

Nice, easier than mine.

On 6/3/2020 6:27 PM, Gary Bowling wrote:



Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf

[INCLUDES]
before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:

[Definition]
failregex = vchkpw-smtp: vpopmail user not found .*:$
    vchkpw-submission: vpopmail user not found .*:$
    vchkpw-smtp: password fail .*:$
    vchkpw-submission: password fail .*:$
ignoreregex =



In my jail.local, I have the following for my vpopmail config.


[vpopmail]
enabled = true
filter = vpopmail
port    = pop3,pop3s,imap,imaps,submission,465
logpath = /var/log/maillog
maxretry = 4
findtime = 86400 ; 1 day
bantime = 10800 ; 3 hours



On 6/3/2020 7:53 PM, Eric Broch wrote:


can you share your vpopmail rules for fail2ban, config and regex?

On 6/3/2020 5:48 PM, Gary Bowling wrote:



FYI in case someone else can use this info.

In my recent review of my server and trying to tighten up security. 
I noticed that there were a number of IPs that showed up regularly 
in my fail2ban firewall rules. I have a fail2ban jail for vpopmail 
that looks at failed login attempts and blocks their IP addresses in 
iptables.



One IP address in particular would attack my server, get banned by 
fail2ban, and when the bantime was up, the same IP  would start 
attacking again, and the loop would continue.



In order to try to do something about these bots, I first looked at 
the "recidive" jail that is included with more recent versions of 
fail2ban.



The recidive jail was created just for this problem. However 
recidive just adds an additional jail time for a repeat offender. 
So, for instance a 4 hour jail time might get increased to 1 week. 
But after a week it starts over.



In searching I found this article, which describes what I think is a 
better approach to the issue.


https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail times 
for a habitual offender. Eventually culminating in a year jail time.



Thanks, Gary


--

Gary Bowling
The Moderns on Spotify 



- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have a
  fail2ban jail for vpopmail that looks at failed login attempts
  and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same IP 
  would start attacking again, and the loop would continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem. However
  recidive just adds an additional jail time for a repeat
  offender. So, for instance a 4 hour jail time might get
  increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating in
  a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Eric Broch 

can you share your vpopmail rules for fail2ban, config and regex?

On 6/3/2020 5:48 PM, Gary Bowling wrote:



FYI in case someone else can use this info.

In my recent review of my server and trying to tighten up security. I 
noticed that there were a number of IPs that showed up regularly in my 
fail2ban firewall rules. I have a fail2ban jail for vpopmail that 
looks at failed login attempts and blocks their IP addresses in iptables.



One IP address in particular would attack my server, get banned by 
fail2ban, and when the bantime was up, the same IP  would start 
attacking again, and the loop would continue.



In order to try to do something about these bots, I first looked at 
the "recidive" jail that is included with more recent versions of 
fail2ban.



The recidive jail was created just for this problem. However recidive 
just adds an additional jail time for a repeat offender. So, for 
instance a 4 hour jail time might get increased to 1 week. But after a 
week it starts over.



In searching I found this article, which describes what I think is a 
better approach to the issue.


https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail times 
for a habitual offender. Eventually culminating in a year jail time.



Thanks, Gary


--

Gary Bowling
The Moderns on Spotify 

- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that showed up
  regularly in my fail2ban firewall rules. I have a fail2ban jail
  for vpopmail that looks at failed login attempts and blocks their
  IP addresses in iptables. 



One IP address in particular would attack my server, get banned
  by fail2ban, and when the bantime was up, the same IP  would start
  attacking again, and the loop would continue. 



In order to try to do something about these bots, I first looked
  at the "recidive" jail that is included with more recent versions
  of fail2ban. 



The recidive jail was created just for this problem. However
  recidive just adds an additional jail time for a repeat offender.
  So, for instance a 4 hour jail time might get increased to 1 week.
  But after a week it starts over.



In searching I found this article, which describes what I think
  is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail
  times for a habitual offender. Eventually culminating in a year
  jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling 

  
  


To save you some searching. Here's a page with a lot of good
  info. It's about how to do all this on postfix, so it's not a
  cookie cutter for doing it on our toaster, but good info
  nonetheless. He also uses "opendmarc" to process DMARC things, but
  spamasssassin also has it built in as per my previous note. 



https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/


Gary


On 6/3/2020 11:12 AM, Eric Broch wrote:


  
  Thanks, Gary.
  I'll have a look
  
  On 6/3/2020 8:52 AM, Gary Bowling
wrote:
  
  

 

Further to this subject. I am learning that there are more
  pieces that can help us out. Spamassassin gives us a way to
  assign a spam score to messages with various DKIM results. But
  it doesn't know what the original sender wanted us to do with
  messages that have DKIM problems, therefore we just default to
  giving scores with some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing
  Practices), and DMARC (Domain based Message Authentication,
  Reporting and Conformance). Which are both fancy ways of
  saying, "I want to tell other servers that messages from MY
  server should have DKIM and what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to
  set up DNS TXT records telling remote servers how to handle
  messages received from your server. If you want to use either
  of these, do a search for them and you'll find info on how to
  set up the DNS records. Without explanation of all the fields,
  here's what I put in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine; rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com;
  fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
  sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS
  records for inbound mail and score them based on info that
  others might have configured in DMARC. It requires a plugin
  called AskDNS, but that looks to already be available in our
  spamassassin and also in the EPEL version of spamassassin, so
  it should just require us to assign scores. Here's what I have
  configured in my /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS










On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying
right now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_SOFTFAIL 3.0
score SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score DKIM_ADSP_ALL 3.0
score DKIM_ADSP_DISCARD  10.0
score DKIM_ADSP_NXDOMAIN 3.0

  

  
Thanks, Gary

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Eric Broch 

Thanks, Gary.

I'll have a look

On 6/3/2020 8:52 AM, Gary Bowling wrote:



Further to this subject. I am learning that there are more pieces that 
can help us out. Spamassassin gives us a way to assign a spam score to 
messages with various DKIM results. But it doesn't know what the 
original sender wanted us to do with messages that have DKIM problems, 
therefore we just default to giving scores with some predetermined 
weighting.



There are two more tools, ADSP (Author Domain Signing Practices), and 
DMARC (Domain based Message Authentication, Reporting and 
Conformance). Which are both fancy ways of saying, "I want to tell 
other servers that messages from MY server should have DKIM and what 
to do if they don't"



For outbound mail, both ADSP and DMARC simply require you to set up 
DNS TXT records telling remote servers how to handle messages received 
from your server. If you want to use either of these, do a search for 
them and you'll find info on how to set up the DNS records. Without 
explanation of all the fields, here's what I put in my bind DNS.



_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine; 
rua=mailto:postmas...@example.com; ruf=mailto:postmas...@example.com; 
fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS records for 
inbound mail and score them based on info that others might have 
configured in DMARC. It requires a plugin called AskDNS, but that 
looks to already be available in our spamassassin and also in the EPEL 
version of spamassassin, so it should just require us to assign 
scores. Here's what I have configured in my /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=reject;/


meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif # Mail::SpamAssassin::Plugin::AskDNS






On 6/2/2020 5:12 PM, Gary Bowling wrote:



Yea, I had already looked in there, they aren't there. I eventually 
found them in



/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm


Looks like the defaults are,

  score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8


For right now, I'm going to adjust a few of these and also adjust 
some of the SPF settings. Here's what I'm trying right now in my 
/etc/spamassassin/local.cf



|#Adjust scores for SPF FAIL|
|score SPF_FAIL 4.0|
|score SPF_HELO_FAIL 4.0|
|score SPF_HELO_SOFTFAIL 3.0|
|score SPF_SOFTFAIL 3.0|
|#adjust DKIM scores|
|score DKIM_ADSP_ALL 3.0|
|score DKIM_ADSP_DISCARD  10.0|
|score DKIM_ADSP_NXDOMAIN 3.0|
|
|
|
|
|Thanks, Gary
|



On 6/2/2020 12:29 PM, Eric Broch wrote:


Gary,

The stock scores for spamassassin are in /usr/share/spamassassin/*.cf.

# grep DKIM /usr/share/spamassassin/*.cf

For your local configuration you can override the scores in 
/etc/mail/spamassassin/local.cf on COS8 or 
/etc/spamassassin/local.cf on COS7. I know THAT one can manipulate 
scores to fit their needs with spamassassin, however, I have NEVER 
done it. This is me sloughing it off. ;-) The reason I like 
spamassassin DKIM verification is because it doesn't just reject bad 
DKIM which as you mentioned can have bad effects but scores it with 
other things for rejection.


If you find some configuration that suits you and your system I'd we 
willing to post in on the QMT web as a stock 'QMT' setting.


Eric

On 6/2/2020 10:11 AM, Gary Bowling wrote:



Thanks Eric. What is the config setting in local.cf to change the 
DKIM scoring? I don't find any setting in my /etc/spamassassin/ 
directories that sets that score. Is the scoring for the stock EPEL 
local.cf different from what we have? I assume not since you said 
you didn't tailor any of that in QMT.



I think that's a good move to use the stock spamassassin from EPEL.


As DKIM seems to be more pervasive these days, I might be tempted 
to increase the score in spamassassin if I can find the local.cf 
setting.



Thanks, Gary


On 6/2/2020 11:56 AM, Eric Broch wrote:


Hi Gary,

My intent, which I articulated in another email on the list and 
instead of reinventing the wheel, was exactly as you deduced in 
your email, that is, to allow spamassassin to score DKIM which it 
does; however, I have not done anything as far as a tailoring 
configuration for QMT and was content to allow users that scoring 
decision. My goal is to drop the specially created

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling 

  
  
 

Further to this subject. I am learning that there are more pieces
  that can help us out. Spamassassin gives us a way to assign a spam
  score to messages with various DKIM results. But it doesn't know
  what the original sender wanted us to do with messages that have
  DKIM problems, therefore we just default to giving scores with
  some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing Practices),
  and DMARC (Domain based Message Authentication, Reporting and
  Conformance). Which are both fancy ways of saying, "I want to tell
  other servers that messages from MY server should have DKIM and
  what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to set
  up DNS TXT records telling remote servers how to handle messages
  received from your server. If you want to use either of these, do
  a search for them and you'll find info on how to set up the DNS
  records. Without explanation of all the fields, here's what I put
  in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine;
  rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com; fo=1; adkim=r; aspf=r; pct=100;
  rf=afrf; ri=86400; sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS records
  for inbound mail and score them based on info that others might
  have configured in DMARC. It requires a plugin called AskDNS, but
  that looks to already be available in our spamassassin and also in
  the EPEL version of spamassassin, so it should just require us to
  assign scores. Here's what I have configured in my
  /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS










On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying right
now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score
SPF_FAIL 4.0
score
SPF_HELO_FAIL 4.0
score
SPF_HELO_SOFTFAIL 3.0
score
SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score
DKIM_ADSP_ALL 3.0
score
DKIM_ADSP_DISCARD  10.0
score
DKIM_ADSP_NXDOMAIN 3.0

  

  
Thanks,
Gary
  
  
  
  
  
  
  On 6/2/2020 12:29 PM, Eric Broch
wrote:
  
  

Gary,
The stock scores for spamassassin are in
  /usr/share/spamassassin/*.cf. 

# grep DKIM /usr/share/spamassassin/*.cf
For your local configuration you can override the scores in
  /etc/mail/spamassassin/local.cf on COS8 or
  /etc/spamassassin/local.cf on COS7. I know THAT one can
  manipulate scores to fit their needs with spamassassin,
  however, I have NEVER done it. This is me sloughing it off.
  ;-) The reason I like spamassassin DKIM verification is
  because it doesn't just reject bad DKIM which as you mentioned
  can have bad effects but scores it with other things for
  rejection.

If you find some configuration that suits you and your system
  I'd we willing to post in on the QMT web as a stock 'QMT'
  setting.
Eric

On 6/2/2020 10:11 AM, Gary Bowling
  wrote: