Toughening up

Running debian lenny ispconfig 3.0.4.6 on a VM

Trying to work out why the server each day comes under an increased load at a certain time and becomes unresponsive, I've had a look into the logs.

One common thing is it keeps getting attempts to connect via ftp, literally 100s of times. The attempts are always failed, but I think leads to the higher load.

To try and slow this a little, I've attempted to add ftp to fail2ban and all appeared to work.

I used this thread as a guide.
http://www.howtoforge.com/forums/showthread.php?t=40177

The other major attempts that keep failing are pop3 connections. To help fight these off, do I simple change the following records to true?

Code:

[postfix]

enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log

Or is there a better way to deal with these attempts?

 

Thank you. I'll work that this afternoon. Much appreciated

 

Thanks - yes - that worked with lenny.

One last thing, now i have that custom filter for fail2ban and pureftp, should i remove the following line:

Code:

failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$

from
/etc/fail2ban/filter.d/pure-ftpd.conf

Looking at it, the entire filter is no longer needed yes?

 

I still need to manually test it, but the log is certainly reporting that it is banning FTP attempts. 20 or so bans this morning.

Thank you.