I've been monitoring the mail.log and curiously just in this moment I found http://pastebin.com/ZgnNB953 fail2ban doesn't respond? I had to stop that with iptables drop. bR
I also have some trouble when follow instruction install ISPConfig 3 in Debian 18 Install fail2ban /etc/init.d/fail2ban restart [ ok ] Restarting authentication failure monitor: fail2ban. I change nano /etc/fail2ban/jail.local filter = pureftpd on filter = pure-ftpd but still appear [ ok ] Restarting authentication failure monitor: fail2ban. Please me need help!
Multiple problems here. 1. http://regexr.com?36beu -- the regex doesn't match 2. banaction = route -> is this wanted? Don't know what route does, but it's not IPTables (at least not the default) 3. The restart is fine... nothing wrong there.. you could try: ^.* warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [A-Za-z0-9+/]*={0,2})?$
I'd say go with CSF instead, it is much more powerful than Fail2ban and really easy to setup: http://configserver.com/cp/csf.html It's almost out of the box, very little configuration needed.
fail2ban sasl filter works for my Ubuntu 10.04. I have read from other posts here. The procedure is simple. Edit the failregex line in /etc/fail2ban/filter.d/sasl.conf as: failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed Edit /etc/fail2ban/jail.local: [sasl] .. logpath = /var/log/mail.warn DONE! This picture shows how fail2ban blocks hackers attacking from 3 different mail protocols.
According to their home page CSF may require rewriting some regex rules on Debian. I don't like that at all.
