[CentOS] Fail2Ban

Tue Mar 3 16:38:09 UTC 2009
John Lundin <lundin at fini.net>

On Sun, Mar 01, 2009 at 05:53:39PM -0800, Linux Advocate wrote:
> i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny  combo working. i couldnt get the iptables thing working properly.
> 
> > You don't need shorewall, just the standard CentOS firewall works fine. 
> > Just be sure to only enable iptables rules. I have rules working for 
> > several things. SSH attempts, Dovecot attempts and a rule to block based 
> > on my Spamhaus setup so that the same spammer doesn't keep loading up 
> > sendmail with DNS queries. 
> 
> john, could u share your rules for the dovecot attempts?t


Since no one else has stepped up... here's dovecot and vsftpd.

These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex
should be a single line with a space between ":" and "authentication".


/etc/fail2ban/filter.d/dovecot.conf

[Definition]
failregex = dovecot-auth: pam_unix\(dovecot:auth\):
 authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
ignoreregex = 


/etc/fail2ban/filter.d/vsftpd.conf

[Definition]
failregex = vsftpd: pam_unix\(vsftpd:auth\):
 authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
ignoreregex = 



And changes to /etc/fail2ban/jail.conf. (Note that you also want to
change the sendmail actions to use valid email addresses...)

diff --git a/jail.conf b/jail.conf
index b74320f..a726947 100644
--- a/jail.conf
+++ b/jail.conf
@@ -113,7 +113,7 @@ bantime  = 300
 enabled  = false
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you at mail.com]
-logpath  = /var/log/vsftpd.log
+logpath  = /var/log/secure
 maxretry = 5
 bantime  = 1800
 
@@ -121,11 +121,11 @@ bantime  = 1800
 
 [vsftpd-iptables]
 
-enabled  = false
+enabled  = true
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
            sendmail-whois[name=VSFTPD, dest=you at mail.com]
-logpath  = /var/log/vsftpd.log
+logpath  = /var/log/secure
 maxretry = 5
 bantime  = 1800
 
@@ -203,3 +203,25 @@ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 
+[dovecot-notification]
+
+enabled  = false
+filter   = dovecot
+action   = sendmail-whois[name=Dovecot, dest=you at mail.com]
+logpath  = /var/log/secure
+maxretry = 5
+bantime  = 1800
+
+# Same as above but with banning the IP address.
+
+[dovecot-iptables]
+
+enabled  = true
+filter   = dovecot
+action   = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
+           sendmail-whois[name=Dovecot, dest=you at mail.com]
+logpath  = /var/log/secure
+maxretry = 5
+bantime  = 1800
+#ignoreip = 168.192.0.1
+