Hi There, I used the Perfect server install from this site but i feel that the 3 jails provided are just not enough any more. Im hoping to get a lively thread here solving multiple attack possibilities that we can prevent with custom jails. maillog: Code: postfix/smtps/smtpd[32258]: warning: unknown[185.222.209.71]: SASL PLAIN authentication failed: Im leaving the IP for everyone to see as this IP is a known attacker. jail.local Code: [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl] enabled = true filter = postfix-sasl logpath = /var/log/mail.log maxretry = 3 findtime = 3200 bantime = 6400 postfix-sasl.conf (get it from github) Code: cd /etc/fail2ban/filter.d/ wget https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/postfix-sasl.conf fail2ban-client status sasl Code: fail2ban-client status sasl Status for the jail: sasl |- Filter | |- Currently failed: 1 | |- Total failed: 50 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 2 |- Total banned: 3 `- Banned IP list: 141.98.80.15 185.222.209.78
Which means that fail2ban is working fine and there is no issue with the jails. The issue must be that the ban method is not working then on your server so that fail2ban is banning successfully but the underlying ban method (normally iptables) is not really blocking the IP.
I changed my post to a working answer. no more sasl authentication errors in my maillog. banned is banned for 6400 seconds. My guess is that the repeating offenders will stop it soon enough!
Ive been adding some longterm jails to stop repeating offendors. The longterm finds repeaters within 3 days (15 tries) and bans them for a week for the SASL logins and SSH. Code: [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp,submission,smtps,smtpd filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl] enabled = true filter = postfix-sasl logpath = /var/log/mail.log maxretry = 3 findtime = 3200 bantime = 6400 [sshlongterm] port = ssh logpath = %(sshd_log)s banaction = iptables-multiport maxretry = 15 findtime = 259200 bantime = 608400 enabled = true filter = sshd [sasllongterm] enabled = true filter = postfix-sasl logpath = /var/log/mail.log maxretry = 15 findtime = 259200 bantime = 608400
sure thing it works. See below my SSH (normal) and SSH (longterm). It reads the same values exept the bantime and findtime is different. Code: Status for the jail: sshd |- Filter | |- Currently failed: 6 | |- Total failed: 2271 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 3 |- Total banned: 235 `- Banned IP list: 165.16.54.228 81.74.229.246 79.188.46.110 Code: Status for the jail: sshlongterm |- Filter | |- Currently failed: 441 | |- Total failed: 2271 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 3 |- Total banned: 3 `- Banned IP list: 138.68.57.194 37.221.194.126 67.205.135.65 the only thing im going to delete is the shortterm sasl jail find/bantime and let it revert to standard settings (600 seconds ban i believe) as i think these will interfear with the longterm sasl jail.
What happens when at time T : IP short term banned for 10 minutes T+5 minutes: IP long term banned for a week T+10 minutes: Short term ban runs out and IP is unbanned Then the long time ban is cut short, after only 5 minutes.
im running it now for a few weeks and these are my results for the last 7 days: Code: Status for the jail: sasllongterm |- Filter | |- Currently failed: 906 | |- Total failed: 2261 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 19 |- Total banned: 28 `- Banned IP list: 185.222.209.210 51.255.86.223 185.234.219.100 27.74.241.212 185.234.219.52 185.234.219.57 185.234.219.67 185.234.219.51 185.234.219.60 141.98.80.27 185.234.216.138 185.234.218.239 185.234.219.56 141.98.10.35 185.211.245.170 185.234.219.69 185.234.219.58 185.234.218.176 185.211.245.198 Code: Status for the jail: sshlongterm |- Filter | |- Currently failed: 966 | |- Total failed: 39676 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 186 |- Total banned: 487 `- Banned IP list: 202.100.168.16 145.239.8.185 128.199.152.186 223.111.139.244 119.28.50.163 104.248.174.126 203.95.212.41 14.45.233.239 87.16.14.109 118.107.233.29 122.226.181.165 54.38.185.87 118.89.232.60 104.248.242.125 218.15.205.69 139.59.96.172 27.150.169.127 182.61.164.210 91.189.176.230 118.89.225.208 202.51.110.214 181.215.132.4 186.103.173.226 128.199.145.205 178.128.201.224 177.131.121.50 118.32.193.109 36.89.56.175 222.127.49.228 123.207.139.64 120.52.120.166 200.60.60.84 111.230.110.87 111.231.83.112 41.87.72.102 219.117.230.166 115.42.121.221 139.199.181.192 36.156.24.98 83.15.183.138 36.156.24.97 118.122.124.78 103.40.29.135 177.71.74.230 202.124.185.66 189.45.37.254 218.92.0.179 120.132.30.116 111.231.144.219 193.112.213.48 188.11.67.165 103.44.132.44 178.62.239.228 175.182.227.144 177.74.144.198 222.174.55.2 125.215.207.40 187.16.96.35 106.12.205.132 123.136.161.147 139.59.41.6 190.144.69.178 111.230.100.191 58.242.82.13 117.187.12.126 118.89.60.84 139.59.105.141 178.128.98.86 123.59.96.215 165.227.177.239 61.76.173.244 73.53.95.248 5.39.77.167 82.227.139.213 219.78.217.119 122.199.152.114 117.48.212.113 140.143.230.161 121.201.78.33 157.230.244.236 118.24.122.36 187.4.98.235 103.245.181.2 79.61.51.195 178.128.85.48 115.47.160.32 14.51.7.4 60.54.119.170 117.218.54.161 206.189.216.56 118.185.32.18 104.248.112.131 157.230.241.147 134.196.160.15 190.147.178.100 121.31.56.58 149.202.148.185 139.199.100.110 103.108.144.134 139.59.94.192 180.182.47.132 118.25.97.93 46.218.116.106 24.193.136.142 37.59.116.10 117.218.78.97 193.32.163.66 106.12.212.192 118.25.8.128 118.24.112.191 59.120.243.8 142.93.232.144 179.184.217.83 128.199.229.67 94.76.179.235 148.66.132.232 82.232.212.62 203.147.79.174 129.204.10.180 115.95.178.170 51.75.202.58 122.167.83.4 36.156.24.95 36.156.24.96 128.199.212.120 172.81.238.222 202.43.144.66 115.159.25.60 132.232.23.12 132.145.34.91 92.151.18.191 112.85.42.229 180.250.205.114 103.248.83.76 180.76.150.87 122.165.207.151 178.128.202.35 121.8.142.250 116.213.196.231 58.87.92.159 101.89.150.214 223.111.139.247 96.78.175.37 51.255.174.215 201.235.19.122 123.30.174.85 118.24.99.163 61.93.201.198 159.65.4.64 178.62.245.107 159.89.205.213 52.234.134.187 123.206.88.24 189.58.98.21 66.70.130.144 107.170.105.164 210.54.37.139 119.28.1.219 82.80.140.33 119.146.148.46 58.144.150.233 159.89.54.241 168.227.99.10 54.38.192.96 194.243.6.150 106.12.203.32 80.25.123.28 128.199.102.157 43.241.234.126 51.38.239.192 202.29.70.42 114.34.30.113 118.89.155.117 106.12.210.229 106.12.38.109 159.89.12.81 103.47.81.216 110.185.103.79 182.61.54.63 142.93.213.218 212.51.151.159 104.248.169.18 140.143.151.93 175.139.183.57 192.241.175.250 76.201.57.187 There you go. As you can see it works and nicely too! imagine when the longterm ban would not have been in place. my shortterm would be a lot busier!
and here is my sshd normal: Code: Status for the jail: sshd |- Filter | |- Currently failed: 3 | |- Total failed: 39676 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 3 |- Total banned: 4724 `- Banned IP list: 189.90.255.173 95.242.177.213 80.37.231.233
