Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Remo Mattei 
If you are using chkuser the user not found should never get pass the initial 
smtp. 
Remo

> On Jun 3, 2020, at 22:34, Noriyuki Hayashi  wrote:
> 
> Hi
> 
> What about below?
> 
> [Definition]
> 
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> # Values: TEXT
> #
> failregex = vchkpw-pop3: vpopmail user not found .*@.*:$
>vchkpw-pop3: vpopmail user not found .*@:$
>vchkpw-pop3: vpopmail user not found .*@.*:..$
>vchkpw-pop3: vpopmail user not found .*@:..$
>vchkpw-smtp: vpopmail user not found .*@.*:$
>vchkpw-smtp: vpopmail user not found .*@:$
>vchkpw-smtp: vpopmail user not found .*@.*:..$
>vchkpw-smtp: vpopmail user not found .*@:..$
>vchkpw-submission: vpopmail user not found .*@.*:$
>vchkpw-submission: vpopmail user not found .*@:$
>vchkpw-submission: vpopmail user not found .*@.*:..$
>vchkpw-submission: vpopmail user not found .*@:..$
>vchkpw-submission: password fail (pass: '.*') .*@.*:$
>vchkpw-smtp: null password given [^:]*:
>vchkpw-submission: null password given [^:]*:
> 
> 
> Kind regards,
> Nori
> 
> 
> On Wed, 3 Jun 2020 18:14:01 -0700
> r...@mattei.org wrote:
> 
>> Nice work. I will take a look and try it out. 
>> 
>>> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling  ha 
>>> scritto:
>>> 
>>> ?
>>> 
>>> 
>>> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf 
>>> that is included with fail2ban. That should catch attempts on imap and 
>>> pop3, but I've never had it actually trap anything. So I'm guessing there 
>>> is something not quite right about it.
>>> 
>>> 
>>> 
>>> If you have something there that actually works, let me know.
>>> 
>>> 
>>> 
>>> Seems like most of the hacking on my server is trying to find smtp relays, 
>>> so maybe it's not a problem. Manually looking through the dovecot logs I 
>>> don't see a ton of attempts there. Nothing like the maillog where there 
>>> seems to be an endless list of bots hacking away. 
>>> 
>>> 
>>> 
>>> Gary
>>> 
>>> 
>>> 
 On 6/3/2020 8:37 PM, Eric Broch wrote:
 Nice, easier than mine.
 
 On 6/3/2020 6:27 PM, Gary Bowling wrote:
> 
> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
> 
> [INCLUDES]
> before = common.conf
> 
> # vi /etc/fail2ban/filter.d/vpopmail.conf:
> 
> [Definition]
> failregex = vchkpw-smtp: vpopmail user not found .*:$
>vchkpw-submission: vpopmail user not found .*:$
>vchkpw-smtp: password fail .*:$
>vchkpw-submission: password fail .*:$
> ignoreregex =
> 
> 
> 
> 
> 
> In my jail.local, I have the following for my vpopmail config. 
> 
> 
> 
> [vpopmail]
> enabled = true
> filter = vpopmail
> port= pop3,pop3s,imap,imaps,submission,465
> logpath = /var/log/maillog
> maxretry = 4
> findtime = 86400 ; 1 day
> bantime = 10800 ; 3 hours
> 
> 
> 
> 
> 
> On 6/3/2020 7:53 PM, Eric Broch wrote:
>> can you share your vpopmail rules for fail2ban, config and regex?
>> 
>> On 6/3/2020 5:48 PM, Gary Bowling wrote:
>>> 
>>> FYI in case someone else can use this info. 
>>> 
>>> In my recent review of my server and trying to tighten up security. I 
>>> noticed that there were a number of IPs that showed up regularly in my 
>>> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
>>> at failed login attempts and blocks their IP addresses in iptables. 
>>> 
>>> 
>>> 
>>> One IP address in particular would attack my server, get banned by 
>>> fail2ban, and when the bantime was up, the same IP  would start 
>>> attacking again, and the loop would continue. 
>>> 
>>> 
>>> 
>>> In order to try to do something about these bots, I first looked at the 
>>> "recidive" jail that is included with more recent versions of fail2ban. 
>>> 
>>> 
>>> 
>>> The recidive jail was created just for this problem. However recidive 
>>> just adds an additional jail time for a repeat offender. So, for 
>>> instance a 4 hour jail time might get increased to 1 week. But after a 
>>> week it starts over.
>>> 
>>> 
>>> 
>>> In searching I found this article, which describes what I think is a 
>>> better approach to the issue. 
>>> 
>>> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
>>> 
>>> 
>>> 
>>> This article describes how to build a series of increased jail times 
>>> for a habitual offender. Eventually culminating in a year jail time.
>>> 
>>> 
>>> 
>>> Thanks, Gary 
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> Gary Bowling
>>> The Moderns on Spotify 
>>> _

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread remo 
Nice work. I will take a look and try it out. 

> Il giorno 3 giu 2020, alle ore 17:52, Gary Bowling  ha scritto:
> 
> 
> 
> 
> It seems to work. I'm also using the /etc/fail2ban/filter.d/dovecot.conf that 
> is included with fail2ban. That should catch attempts on imap and pop3, but 
> I've never had it actually trap anything. So I'm guessing there is something 
> not quite right about it.
> 
> 
> 
> If you have something there that actually works, let me know.
> 
> 
> 
> Seems like most of the hacking on my server is trying to find smtp relays, so 
> maybe it's not a problem. Manually looking through the dovecot logs I don't 
> see a ton of attempts there. Nothing like the maillog where there seems to be 
> an endless list of bots hacking away. 
> 
> 
> 
> Gary
> 
> 
> 
>> On 6/3/2020 8:37 PM, Eric Broch wrote:
>> Nice, easier than mine.
>> 
>> On 6/3/2020 6:27 PM, Gary Bowling wrote:
>>> 
>>> Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
>>> 
>>> [INCLUDES]
>>> before = common.conf
>>> 
>>> # vi /etc/fail2ban/filter.d/vpopmail.conf:
>>> 
>>> [Definition]
>>> failregex = vchkpw-smtp: vpopmail user not found .*:$
>>> vchkpw-submission: vpopmail user not found .*:$
>>> vchkpw-smtp: password fail .*:$
>>> vchkpw-submission: password fail .*:$
>>> ignoreregex =
>>> 
>>> 
>>> 
>>> 
>>> 
>>> In my jail.local, I have the following for my vpopmail config. 
>>> 
>>> 
>>> 
>>> [vpopmail]
>>> enabled = true
>>> filter = vpopmail
>>> port= pop3,pop3s,imap,imaps,submission,465
>>> logpath = /var/log/maillog
>>> maxretry = 4
>>> findtime = 86400 ; 1 day
>>> bantime = 10800 ; 3 hours
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 6/3/2020 7:53 PM, Eric Broch wrote:
 can you share your vpopmail rules for fail2ban, config and regex?
 
 On 6/3/2020 5:48 PM, Gary Bowling wrote:
> 
> FYI in case someone else can use this info. 
> 
> In my recent review of my server and trying to tighten up security. I 
> noticed that there were a number of IPs that showed up regularly in my 
> fail2ban firewall rules. I have a fail2ban jail for vpopmail that looks 
> at failed login attempts and blocks their IP addresses in iptables. 
> 
> 
> 
> One IP address in particular would attack my server, get banned by 
> fail2ban, and when the bantime was up, the same IP  would start attacking 
> again, and the loop would continue. 
> 
> 
> 
> In order to try to do something about these bots, I first looked at the 
> "recidive" jail that is included with more recent versions of fail2ban. 
> 
> 
> 
> The recidive jail was created just for this problem. However recidive 
> just adds an additional jail time for a repeat offender. So, for instance 
> a 4 hour jail time might get increased to 1 week. But after a week it 
> starts over.
> 
> 
> 
> In searching I found this article, which describes what I think is a 
> better approach to the issue. 
> 
> https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
> 
> 
> 
> This article describes how to build a series of increased jail times for 
> a habitual offender. Eventually culminating in a year jail time.
> 
> 
> 
> Thanks, Gary 
> 
> 
> 
> -- 
> 
> Gary Bowling
> The Moderns on Spotify 
> 
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> - To 
>>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
>>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For 
> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


It seems to work. I'm also using the
  /etc/fail2ban/filter.d/dovecot.conf that is included with
  fail2ban. That should catch attempts on imap and pop3, but I've
  never had it actually trap anything. So I'm guessing there is
  something not quite right about it.


If you have something there that actually works, let me know.


Seems like most of the hacking on my server is trying to find
  smtp relays, so maybe it's not a problem. Manually looking through
  the dovecot logs I don't see a ton of attempts there. Nothing like
  the maillog where there seems to be an endless list of bots
  hacking away. 



Gary



On 6/3/2020 8:37 PM, Eric Broch wrote:


  
  Nice, easier than mine.
  
  On 6/3/2020 6:27 PM, Gary Bowling
wrote:
  
  



Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found
  .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail
  config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch
  wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have
  a fail2ban jail for vpopmail that looks at failed login
  attempts and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same
  IP  would start attacking again, and the loop would
  continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem.
  However recidive just adds an additional jail time for a
  repeat offender. So, for instance a 4 hour jail time might
  get increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating
  in a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Eric Broch 

Nice, easier than mine.

On 6/3/2020 6:27 PM, Gary Bowling wrote:



Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf

[INCLUDES]
before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:

[Definition]
failregex = vchkpw-smtp: vpopmail user not found .*:$
    vchkpw-submission: vpopmail user not found .*:$
    vchkpw-smtp: password fail .*:$
    vchkpw-submission: password fail .*:$
ignoreregex =



In my jail.local, I have the following for my vpopmail config.


[vpopmail]
enabled = true
filter = vpopmail
port    = pop3,pop3s,imap,imaps,submission,465
logpath = /var/log/maillog
maxretry = 4
findtime = 86400 ; 1 day
bantime = 10800 ; 3 hours



On 6/3/2020 7:53 PM, Eric Broch wrote:


can you share your vpopmail rules for fail2ban, config and regex?

On 6/3/2020 5:48 PM, Gary Bowling wrote:



FYI in case someone else can use this info.

In my recent review of my server and trying to tighten up security. 
I noticed that there were a number of IPs that showed up regularly 
in my fail2ban firewall rules. I have a fail2ban jail for vpopmail 
that looks at failed login attempts and blocks their IP addresses in 
iptables.



One IP address in particular would attack my server, get banned by 
fail2ban, and when the bantime was up, the same IP  would start 
attacking again, and the loop would continue.



In order to try to do something about these bots, I first looked at 
the "recidive" jail that is included with more recent versions of 
fail2ban.



The recidive jail was created just for this problem. However 
recidive just adds an additional jail time for a repeat offender. 
So, for instance a 4 hour jail time might get increased to 1 week. 
But after a week it starts over.



In searching I found this article, which describes what I think is a 
better approach to the issue.


https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail times 
for a habitual offender. Eventually culminating in a year jail time.



Thanks, Gary


--

Gary Bowling
The Moderns on Spotify 



- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have a
  fail2ban jail for vpopmail that looks at failed login attempts
  and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same IP 
  would start attacking again, and the loop would continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem. However
  recidive just adds an additional jail time for a repeat
  offender. So, for instance a 4 hour jail time might get
  increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating in
  a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Eric Broch 

can you share your vpopmail rules for fail2ban, config and regex?

On 6/3/2020 5:48 PM, Gary Bowling wrote:



FYI in case someone else can use this info.

In my recent review of my server and trying to tighten up security. I 
noticed that there were a number of IPs that showed up regularly in my 
fail2ban firewall rules. I have a fail2ban jail for vpopmail that 
looks at failed login attempts and blocks their IP addresses in iptables.



One IP address in particular would attack my server, get banned by 
fail2ban, and when the bantime was up, the same IP  would start 
attacking again, and the loop would continue.



In order to try to do something about these bots, I first looked at 
the "recidive" jail that is included with more recent versions of 
fail2ban.



The recidive jail was created just for this problem. However recidive 
just adds an additional jail time for a repeat offender. So, for 
instance a 4 hour jail time might get increased to 1 week. But after a 
week it starts over.



In searching I found this article, which describes what I think is a 
better approach to the issue.


https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail times 
for a habitual offender. Eventually culminating in a year jail time.



Thanks, Gary


--

Gary Bowling
The Moderns on Spotify 

- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com