Hi, I'm using the perfect server for Centos 6. Recently I noticed that attempts to break into webmail have not been caught by fail2ban. I noticed my [postfix-tcpwrapper] in jail.local was not enabled. However the logpath is /var/log/postfix.log Does this need be /var/log/maillog? Or is this configured someplace else? Thanks Ray
Fal2ban blocks attackers by IP address, the IP address of all postfix and imap connects of the webmail client is 127.0.0.1 (your own server), this is the case for all users that access webmail. Fail2ban can not block IP 127.0.0.1 as this would cause a lot of service to fail as many services use IP 127.0.0.1 (e.g. all local mysql connections). So fail2ban can not be used to protect webmail smtp / ima connects. If your webmail client writes a separate log for failed login attempts which contai the real IP address of the attacker, then you can configure fail2ban to read that log and uses it to ban outside IP addresses.
Thanks Till, But I believe this is just what is happening. I found more than 100 lines like the one below in secure log (/var/log/secure) for various non-existent IDs: secure-20131124:Nov 20 09:18:30 pillhill auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=director rhost=5.199.169.184 secure-20131124:Nov 20 09:18:38 pillhill auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=director rhost=5.199.169.184 I have since created an IPtables drop rule for this IP. But would like to know if I should still create a fail2ban rule in jail.local for the secure log? Or am I over reacting? Thanks