But out of curiosity, what do you need a script for? To automate the process for the script which is run after the main CentOS installation?

iRedMail is a set of shell scripts, each script is used to install and configure component automaticly.

But out of curiosity, what do you need a script for? To automate the process for the script which is run after the main CentOS installation?

P.S.

Forgot to say, but to check that shorewall is really working you should delete everything from /etc/sysconfig/iptales. Shorewall will send it's own rules, so I put the ones to allow SSH/POP/IMAP/SMTP/HTTP in it's own config file and cleared the iptables. Take care not to lock yourself out of your own server, this can happen very fast with shorewall.

Oh, and I setup my SSHD to listen on another port than 22, you will see than in the configs (13xx).

And if you are familar with Bash shell script, you can write script directly, so that we can have it in iRedMail/iRedOS quickly.

I put the config for fail2ban to ban the IP after only 5 authentication failures, for 12 hours, no matter which is the source (ssh, sasl, postfix or roundcube). Some will find this too paranoid...

1. Get the EPEL package (epel-release-5-3.noarch.rpm) and install it for quick access to EPEL repo.

2. Install gamin-python, with dependencies (gamin itself, etc.).

3. Install shorewall from EPEL (better support for iptables then iptables command line itself).

4. Configure shorewall (enabled: yes, accept from outside only ssh/pop/smtp/imap, check the files).

5. Install fail2ban from EPEL.

6. Configure fail2ban to listen to 4 sources in 3 log files (one of which is Roundcube, but you need to patch it to work).

I will attach the config files in the zip.

What's in the zip:

/shorewall - should go in /etc/shorewall; mostly as in docs, but I added zone "loop" for loopback, ACCEPT ALL;
Allow only what's needed for incoming (LDAP is commented out cause I don't use it), everything else DROP
For outgoing, accept all.

/fail2ban - should go in /etc/fail2ban, in corresponding dirs
For the filter for postfix (from /var/log/maillog), I modifies the syntax to only ban in case of 5xx codes, *NOT* 4xx, otherwise I will accidentally ban everyone because of greylisting and other temporary errors
For SASL I modified the syntax, the original one didn't work with iRedOS.
The syntax for SSHD is the same, but I include it because I modified the Jail.
The syntax for Roundcube is made by me, but caution: it won't work without this patch to roundcube 0.3-stable.

Have fun.

Will you share you doc? so that i can easily integrate it into iRedMail/iRedOS

ZhangHuangbin, you should consider adding this to iRedOS.

Is there any way in iRedOS to block a class of IPs if too many SMTP/POP3/IMAP authentication failures from that class? I had today a lot of tries from one IP, probably to hyjack mail accounts... I saw the attacker trying all possible combinations of username, probably with a dictionary attack...

Thanks.