Addition/Harden.iRedMail.with.Fail2ban
From iRedMail
(Difference between revisions)
(→Configure Fail2ban) |
(→Configure Fail2ban) |
||
| Line 47: | Line 47: | ||
= Configure Fail2ban = | = Configure Fail2ban = | ||
| - | We will configure | + | We will configure Fail2ban to protect 4 services: ssh, smtp, pop3/imap and webmail. |
Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban. | Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban. | ||
Revision as of 12:04, 7 April 2011
Contents |
Summary
Fail2ban scans log files like /var/log/maillog or /var/log/auth.log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
We can use Fail2ban to ban IP addresses which who want to crack your mail accounts.
Install Fail2ban
- On RHEL/CentOS, you can install fail2ban with iRedMail yum repository, it's enabled by default.
| Terminal: |
# yum install fail2ban |
- On Debian/Ubuntu, you can install fail2ban with official repository:
| Terminal: |
# apt-get install fail2ban |
- On openSUSE, you can install fail2ban with iRedMail repository, it's enabled by default.
| Terminal: |
# zypper install fail2ban |
- On FreeBSD, you can install fail2ban with ports tree:
| Terminal: |
# cd /usr/ports/security/py-fail2ban # make install clean |
On Linux:
- major configure files of Fail2ban are:
- /etc/fail2ban/fail2ban.conf
- /etc/fail2ban/jail.conf
- /etc/fail2ban/filter.d/*.conf
- Fail2ban will read user custom config file "/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.
On FreeBSD:
- major configure files of Fail2ban are:
- /usr/local/etc/fail2ban/fail2ban.conf
- /usr/local/etc/fail2ban/jail.conf
- /usr/local/etc/fail2ban/filter.d/*.conf
- Fail2ban will read user custom config file "/usr/local/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.
Configure Fail2ban
We will configure Fail2ban to protect 4 services: ssh, smtp, pop3/imap and webmail.
Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban.
- /etc/fail2ban/filter.d/roundcube.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/roundncube.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/roundcube.iredmail.conf |
[Definition] failregex = roundcube: (.*) Error: Login failed for (.*) from <HOST>\. ignoreregex = |
- /etc/fail2ban/filter.d/dovecot.iredmail.conf' (Linux) or /usr/local/etc/fail2ban/filter.d/dovecot.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/dovecot.iredmail.conf |
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex = |
- /etc/fail2ban/filter.d/postfix.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/postfix.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/postfix.iredmail.conf |
[Definition]
#failregex = reject: RCPT from (.*)\[<HOST>\]: 554
failregex = \[<HOST>\]: SASL PLAIN authentication failed
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
# reject: RCPT from (.*)\[<HOST>\]: [45][05][0-4]
ignoreregex =
|
