On Sun, Mar 01, 2009 at 05:53:39PM -0800, Linux Advocate wrote:
i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny combo working. i couldnt get the iptables thing working properly.
You don't need shorewall, just the standard CentOS firewall works fine. Just be sure to only enable iptables rules. I have rules working for several things. SSH attempts, Dovecot attempts and a rule to block based on my Spamhaus setup so that the same spammer doesn't keep loading up sendmail with DNS queries.
john, could u share your rules for the dovecot attempts?t
Since no one else has stepped up... here's dovecot and vsftpd.
These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex should be a single line with a space between ":" and "authentication".
/etc/fail2ban/filter.d/dovecot.conf
[Definition] failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex =
/etc/fail2ban/filter.d/vsftpd.conf
[Definition] failregex = vsftpd: pam_unix(vsftpd:auth): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex =
And changes to /etc/fail2ban/jail.conf. (Note that you also want to change the sendmail actions to use valid email addresses...)
diff --git a/jail.conf b/jail.conf index b74320f..a726947 100644 --- a/jail.conf +++ b/jail.conf @@ -113,7 +113,7 @@ bantime = 300 enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -121,11 +121,11 @@ bantime = 1800
[vsftpd-iptables]
-enabled = false +enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1
+[dovecot-notification] + +enabled = false +filter = dovecot +action = sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 + +# Same as above but with banning the IP address. + +[dovecot-iptables] + +enabled = true +filter = dovecot +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] + sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 +#ignoreip = 168.192.0.1 +