On Sun, Mar 01, 2009 at 05:53:39PM -0800, Linux Advocate wrote: > i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny combo working. i couldnt get the iptables thing working properly. > > > You don't need shorewall, just the standard CentOS firewall works fine. > > Just be sure to only enable iptables rules. I have rules working for > > several things. SSH attempts, Dovecot attempts and a rule to block based > > on my Spamhaus setup so that the same spammer doesn't keep loading up > > sendmail with DNS queries. > > john, could u share your rules for the dovecot attempts?t Since no one else has stepped up... here's dovecot and vsftpd. These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex should be a single line with a space between ":" and "authentication". /etc/fail2ban/filter.d/dovecot.conf [Definition] failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex = /etc/fail2ban/filter.d/vsftpd.conf [Definition] failregex = vsftpd: pam_unix\(vsftpd:auth\): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex = And changes to /etc/fail2ban/jail.conf. (Note that you also want to change the sendmail actions to use valid email addresses...) diff --git a/jail.conf b/jail.conf index b74320f..a726947 100644 --- a/jail.conf +++ b/jail.conf @@ -113,7 +113,7 @@ bantime = 300 enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you at mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800 @@ -121,11 +121,11 @@ bantime = 1800 [vsftpd-iptables] -enabled = false +enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you at mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800 @@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 +[dovecot-notification] + +enabled = false +filter = dovecot +action = sendmail-whois[name=Dovecot, dest=you at mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 + +# Same as above but with banning the IP address. + +[dovecot-iptables] + +enabled = true +filter = dovecot +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] + sendmail-whois[name=Dovecot, dest=you at mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 +#ignoreip = 168.192.0.1 +