[CentOS] Fail2Ban
Linux Advocate
linuxhousedn at yahoo.com
Wed Mar 4 06:25:52 UTC 2009
thanx john
----- Original Message ----
> From: John Lundin <lundin at fini.net>
> > john, could u share your rules for the dovecot attempts?t
>
>
> Since no one else has stepped up... here's dovecot and vsftpd.
>
> These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex
> should be a single line with a space between ":" and "authentication".
>
>
> /etc/fail2ban/filter.d/dovecot.conf
>
> [Definition]
> failregex = dovecot-auth: pam_unix\(dovecot:auth\):
> authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
> ignoreregex =
>
>
> /etc/fail2ban/filter.d/vsftpd.conf
>
> [Definition]
> failregex = vsftpd: pam_unix\(vsftpd:auth\):
> authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
> ignoreregex =
>
>
>
> And changes to /etc/fail2ban/jail.conf. (Note that you also want to
> change the sendmail actions to use valid email addresses...)
>
> diff --git a/jail.conf b/jail.conf
> index b74320f..a726947 100644
> --- a/jail.conf
> +++ b/jail.conf
> @@ -113,7 +113,7 @@ bantime = 300
> enabled = false
> filter = vsftpd
> action = sendmail-whois[name=VSFTPD, dest=you at mail.com]
> -logpath = /var/log/vsftpd.log
> +logpath = /var/log/secure
> maxretry = 5
> bantime = 1800
>
> @@ -121,11 +121,11 @@ bantime = 1800
>
> [vsftpd-iptables]
>
> -enabled = false
> +enabled = true
> filter = vsftpd
> action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
> sendmail-whois[name=VSFTPD, dest=you at mail.com]
> -logpath = /var/log/vsftpd.log
> +logpath = /var/log/secure
> maxretry = 5
> bantime = 1800
>
> @@ -203,3 +203,25 @@ action = iptables-multiport[name=Named,
> port="domain,953", protocol=tcp]
> logpath = /var/log/named/security.log
> ignoreip = 168.192.0.1
>
> +[dovecot-notification]
> +
> +enabled = false
> +filter = dovecot
> +action = sendmail-whois[name=Dovecot, dest=you at mail.com]
> +logpath = /var/log/secure
> +maxretry = 5
> +bantime = 1800
> +
> +# Same as above but with banning the IP address.
> +
> +[dovecot-iptables]
> +
> +enabled = true
> +filter = dovecot
> +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps",
> protocol=tcp]
> + sendmail-whois[name=Dovecot, dest=you at mail.com]
> +logpath = /var/log/secure
> +maxretry = 5
> +bantime = 1800
> +#ignoreip = 168.192.0.1
> +
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list