[CentOS] Fail2Ban
John Lundin
lundin at fini.net
Tue Mar 3 16:38:09 UTC 2009
On Sun, Mar 01, 2009 at 05:53:39PM -0800, Linux Advocate wrote:
> i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny combo working. i couldnt get the iptables thing working properly.
>
> > You don't need shorewall, just the standard CentOS firewall works fine.
> > Just be sure to only enable iptables rules. I have rules working for
> > several things. SSH attempts, Dovecot attempts and a rule to block based
> > on my Spamhaus setup so that the same spammer doesn't keep loading up
> > sendmail with DNS queries.
>
> john, could u share your rules for the dovecot attempts?t
Since no one else has stepped up... here's dovecot and vsftpd.
These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex
should be a single line with a space between ":" and "authentication".
/etc/fail2ban/filter.d/dovecot.conf
[Definition]
failregex = dovecot-auth: pam_unix\(dovecot:auth\):
authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
ignoreregex =
/etc/fail2ban/filter.d/vsftpd.conf
[Definition]
failregex = vsftpd: pam_unix\(vsftpd:auth\):
authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
ignoreregex =
And changes to /etc/fail2ban/jail.conf. (Note that you also want to
change the sendmail actions to use valid email addresses...)
diff --git a/jail.conf b/jail.conf
index b74320f..a726947 100644
--- a/jail.conf
+++ b/jail.conf
@@ -113,7 +113,7 @@ bantime = 300
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you at mail.com]
-logpath = /var/log/vsftpd.log
+logpath = /var/log/secure
maxretry = 5
bantime = 1800
@@ -121,11 +121,11 @@ bantime = 1800
[vsftpd-iptables]
-enabled = false
+enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you at mail.com]
-logpath = /var/log/vsftpd.log
+logpath = /var/log/secure
maxretry = 5
bantime = 1800
@@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
+[dovecot-notification]
+
+enabled = false
+filter = dovecot
+action = sendmail-whois[name=Dovecot, dest=you at mail.com]
+logpath = /var/log/secure
+maxretry = 5
+bantime = 1800
+
+# Same as above but with banning the IP address.
+
+[dovecot-iptables]
+
+enabled = true
+filter = dovecot
+action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
+ sendmail-whois[name=Dovecot, dest=you at mail.com]
+logpath = /var/log/secure
+maxretry = 5
+bantime = 1800
+#ignoreip = 168.192.0.1
+
More information about the CentOS
mailing list