Re: [qmailtoaster] iMAP under fire on my server
Hi, Follow up.. I should have mentioned that you can edit fail2ban.conf the save info to a lof file by editing the conf file and set logtarget = /var/log/fail2ban.log loglevel = 3 best wishes Tony White On 17/10/19 6:43 pm, ChandranManikandan wrote: Hi Friends, I am also facing the same problem and i had running IPtables and fail2ban. but still issue was there. Can i run csf also on top of that. Am running centos 6 servers. Appreciate your hep. On Sun, Oct 13, 2019 at 10:12 PM Tony White wrote: Hi, Correct again but it seems the regex is at fault. The regex generates no results for courierlogin nor couriersmtp. Trying to build a regex for these but it is not my first language... best wishes Tony White On 14/10/19 12:19 am, Solo wrote: Hi Tony. What log do You expect entries in ? fail2ban.log ? Make sure the regex in the filter.d/*.conf file You use matches the entries in the log file(s) it monitors A good idea is to test the *.conf file using : fail2ban-regex "path to the log to monitor" "path to the fail2ban filter" like : fail2ban-regex /var/log/qmail/submission/current /etc/fail2ban/filter.d/submission.conf Hope this helps Cheers Finn Den 13-10-2019 kl. 14:07 skrev Tony White: Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Hi, got it working finally... If you have already got fail2ban running then try these settings. They finally stopped my issues after 13 hours and blocking hundreds of unique ip's. This is a variation on a set of files I found by searching on the web. I would attribute them if I knew who wrote them. Edit fail2ban's jail.local in the /etc/fail2ban directory. Insert this exactly. [qmail-vpopmail-imap-pw-fail] enabled = true filter = qmail-vpopmail-imap-pw-fail action = iptables-multiport[name=IMAP, port="143,585,993", protocol=tcp] logpath = /var/log/qmail/imap4/current maxretry = 1 bantime = 864000 findtime = 3600 create a file called qmail-vpopmail-imap-pw-fail.conf and insert this text # Fail2Ban configuration file # [Definition] #Looks for failed logins into IMAP failregex = ^.* INFO\: LOGIN FAILED, user\=.*\, ip\=\[\] ignoreregex = After editing restart fail2ban or reboot, up to you. Then tail the imap log to see the logins slow down over the next few hours. If you need more please contact me off list. I also have changes to the pop3 run file to record the login details. Hope this helps. best wishes Tony White http://acrosstechnology.com.au 4a Birmingham Road Mount Evelyn Victoria Australia 3796 Telephone No's VIC : 0481 362 743 Please note: YCS records all calls to better serve you. IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. You may not disclose this information to a third party without written permission from the Author. On 17/10/19 6:43 pm, ChandranManikandan wrote: Hi Friends, I am also facing the same problem and i had running IPtables and fail2ban. but still issue was there. Can i run csf also on top of that. Am running centos 6 servers. Appreciate your hep. On Sun, Oct 13, 2019 at 10:12 PM Tony White wrote: Hi, Correct again but it seems the regex is at fault. The regex generates no results for courierlogin nor couriersmtp. Trying to build a regex for these but it is not my first language... best wishes Tony White On 14/10/19 12:19 am, Solo wrote: Hi Tony. What log do You expect entries in ? fail2ban.log ? Make sure the regex in the filter.d/*.conf file You use matches the entries in the log file(s) it monitors A good idea is to test the *.conf file using : fail2ban-regex "path to the log to monitor" "path to the fail2ban filter" like : fail2ban-regex /var/log/qmail/submission/current /etc/fail2ban/filter.d/submission.conf Hope this helps Cheers Finn Den 13-10-2019 kl. 14:07 skrev Tony White: Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoas
Re: [qmailtoaster] iMAP under fire on my server
Hi Friends, I am also facing the same problem and i had running IPtables and fail2ban. but still issue was there. Can i run csf also on top of that. Am running centos 6 servers. Appreciate your hep. On Sun, Oct 13, 2019 at 10:12 PM Tony White wrote: > Hi, >Correct again but it seems the regex is at fault. > The regex generates no results for courierlogin > nor couriersmtp. >Trying to build a regex for these but it is not my first > language... > > best wishes >Tony White > > On 14/10/19 12:19 am, Solo wrote: > > Hi Tony. > > > > What log do You expect entries in ? fail2ban.log ? > > > > Make sure the regex in the filter.d/*.conf file You use matches the > entries in the log file(s) it monitors > > > > > > A good idea is to test the *.conf file using : > > fail2ban-regex "path to the log to monitor" "path to the fail2ban > filter" > > > > like : fail2ban-regex /var/log/qmail/submission/current > /etc/fail2ban/filter.d/submission.conf > > > > Hope this helps > > > > Cheers > > Finn > > > > Den 13-10-2019 kl. 14:07 skrev Tony White: > >> Hi, > >>Well I have enabled the two in the filter.d directory you mentioned > >> restarted/reloaded fail2ban and no change. Still no entries in the > >> log file. > >> > >> best wishes > >>Tony White > >> > >> On 13/10/19 7:36 pm, Solo wrote: > >> > >>> Hi Tony. > >>> > >>> Have You tried fail2ban ? > >>> > >>> Cheers > >>> Finn > >>> > >>> Den 13-10-2019 kl. 05:01 skrev Tony White: > Hi folks, > Sorry to disturb but I have been trying to fix this for two days > now. > > My iMap server is methodically (brute force) attacked over many many > ips. > I have written scripts to auto block the ips but they only try twice > for two > different names then us a different ip!. > > Has anyone encountered this before and did you find a resolution for > it? > > Can I add an entry in the run scrip for a LOGIN FAILED to block the ip > first time it connects? > > TIA :) > > FYI the email addresses are not even remotely valid but it is > frustrating. > > > >>> > >>> - > >>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > >>> For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > >>> > >>> > >> > >> > >> - > >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > >> For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > >> > >> > > > > - > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > > > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > -- *Regards,Manikandan.C*
Re: [qmailtoaster] iMAP under fire on my server
Hi, Correct again but it seems the regex is at fault. The regex generates no results for courierlogin nor couriersmtp. Trying to build a regex for these but it is not my first language... best wishes Tony White On 14/10/19 12:19 am, Solo wrote: Hi Tony. What log do You expect entries in ? fail2ban.log ? Make sure the regex in the filter.d/*.conf file You use matches the entries in the log file(s) it monitors A good idea is to test the *.conf file using : fail2ban-regex "path to the log to monitor" "path to the fail2ban filter" like : fail2ban-regex /var/log/qmail/submission/current /etc/fail2ban/filter.d/submission.conf Hope this helps Cheers Finn Den 13-10-2019 kl. 14:07 skrev Tony White: Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Hi Tony. What log do You expect entries in ? fail2ban.log ? Make sure the regex in the filter.d/*.conf file You use matches the entries in the log file(s) it monitors A good idea is to test the *.conf file using : fail2ban-regex "path to the log to monitor" "path to the fail2ban filter" like : fail2ban-regex /var/log/qmail/submission/current /etc/fail2ban/filter.d/submission.conf Hope this helps Cheers Finn Den 13-10-2019 kl. 14:07 skrev Tony White: Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Hi all, FYI I have just disabled courier for now. best wishes Tony White On 13/10/19 11:07 pm, Tony White wrote: Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Hi, Well I have enabled the two in the filter.d directory you mentioned restarted/reloaded fail2ban and no change. Still no entries in the log file. best wishes Tony White On 13/10/19 7:36 pm, Solo wrote: Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Hi Tony. Have You tried fail2ban ? Cheers Finn Den 13-10-2019 kl. 05:01 skrev Tony White: Hi folks, Sorry to disturb but I have been trying to fix this for two days now. My iMap server is methodically (brute force) attacked over many many ips. I have written scripts to auto block the ips but they only try twice for two different names then us a different ip!. Has anyone encountered this before and did you find a resolution for it? Can I add an entry in the run scrip for a LOGIN FAILED to block the ip first time it connects? TIA :) FYI the email addresses are not even remotely valid but it is frustrating. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] iMAP under fire on my server
Try using csf. https://download.configserver.com/csf/install.txt You can also install webmin to manage csf -- -- Best Regards Muhammad Tahnan Al Anas On Sun, Oct 13, 2019 at 9:01 AM Tony White wrote: > Hi folks, >Sorry to disturb but I have been trying to fix this for two days now. > > My iMap server is methodically (brute force) attacked over many many ips. > I have written scripts to auto block the ips but they only try twice for > two > different names then us a different ip!. > > Has anyone encountered this before and did you find a resolution for it? > > Can I add an entry in the run scrip for a LOGIN FAILED to block the ip > first time it connects? > > TIA :) > > FYI the email addresses are not even remotely valid but it is frustrating. > > > -- > best wishes >Tony White > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > >