[CentOS] Fail2Ban

Wed Mar 4 06:25:52 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

thanx john



----- Original Message ----
> From: John Lundin <lundin at fini.net>

> > john, could u share your rules for the dovecot attempts?t
> 
> 
> Since no one else has stepped up... here's dovecot and vsftpd.
> 
> These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex
> should be a single line with a space between ":" and "authentication".
> 
> 
> /etc/fail2ban/filter.d/dovecot.conf
> 
> [Definition]
> failregex = dovecot-auth: pam_unix\(dovecot:auth\):
> authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
> ignoreregex = 
> 
> 
> /etc/fail2ban/filter.d/vsftpd.conf
> 
> [Definition]
> failregex = vsftpd: pam_unix\(vsftpd:auth\):
> authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
> ignoreregex = 
> 
> 
> 
> And changes to /etc/fail2ban/jail.conf. (Note that you also want to
> change the sendmail actions to use valid email addresses...)
> 
> diff --git a/jail.conf b/jail.conf
> index b74320f..a726947 100644
> --- a/jail.conf
> +++ b/jail.conf
> @@ -113,7 +113,7 @@ bantime  = 300
> enabled  = false
> filter   = vsftpd
> action   = sendmail-whois[name=VSFTPD, dest=you at mail.com]
> -logpath  = /var/log/vsftpd.log
> +logpath  = /var/log/secure
> maxretry = 5
> bantime  = 1800
> 
> @@ -121,11 +121,11 @@ bantime  = 1800
> 
> [vsftpd-iptables]
> 
> -enabled  = false
> +enabled  = true
> filter   = vsftpd
> action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
>             sendmail-whois[name=VSFTPD, dest=you at mail.com]
> -logpath  = /var/log/vsftpd.log
> +logpath  = /var/log/secure
> maxretry = 5
> bantime  = 1800
> 
> @@ -203,3 +203,25 @@ action   = iptables-multiport[name=Named, 
> port="domain,953", protocol=tcp]
> logpath  = /var/log/named/security.log
> ignoreip = 168.192.0.1
> 
> +[dovecot-notification]
> +
> +enabled  = false
> +filter   = dovecot
> +action   = sendmail-whois[name=Dovecot, dest=you at mail.com]
> +logpath  = /var/log/secure
> +maxretry = 5
> +bantime  = 1800
> +
> +# Same as above but with banning the IP address.
> +
> +[dovecot-iptables]
> +
> +enabled  = true
> +filter   = dovecot
> +action   = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", 
> protocol=tcp]
> +           sendmail-whois[name=Dovecot, dest=you at mail.com]
> +logpath  = /var/log/secure
> +maxretry = 5
> +bantime  = 1800
> +#ignoreip = 168.192.0.1
> +
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos