Fail2ban recipes

Views:

www.fail2ban.org

Fail2Ban can monitor your system log files to look out for brute force attacks on your services. Different rules can be set so that, for example, 10 failed log in attempts over SSH will result in ssh traffic from the offending client being dropped by the local firewall. See the fail2ban web site for some good docs.

1 Postfix Authentication
- 1.1 Filter
- 1.2 Jails
2 Horde
- 2.1 Filter
- 2.2 Jails
3 Apache Virtual Hosts
- 3.1 Jails

Postfix Authentication

Filter

[Definition]
failregex = postfix/smtpd\[.+\]: warning: [a-zA-Z0-9\.]+\[<HOST>\]: SASL .+ authentication failed: authentication failure

ignoreregex =

Jails

If your SMTP/IMAP/POP services share the same authentication back end, then you should also block those services (pop3,pop3s,imap,imaps) from these jails.

[postfix-sasl-auth-tcp]
enabled  = true
filter   = postfix-sasl-auth
action   = iptables-multiport[name=PostfixSaslAuthTcp, port="smtp,smtps,submission", protocol=tcp]
           sendmail-whois[name=PostfixSaslAuth, dest=postmaster@example.com]
logpath  = /var/log/maillog

[postfix-sasl-auth-udp]
enabled  = true
filter   = postfix-sasl-auth
action   = iptables-multiport[name=PostfixSaslAuthUdp, port="smtp,smtps,submission", protocol=udp]
           sendmail-whois[name=PostfixSaslAuth, dest=postmaster@example.com]
logpath  = /var/log/maillog

Horde

If you aren't using built in user accounts (e.g. you're authenticating against your email server or ldap), then don't forget to add ignore rules to their jails. i.e. Always allow your Horde server to fail authentication against your ldap or email server.

Filter

[Definition]
failregex = HORDE \[error\] \[.+\] FAILED LOGIN <HOST> to .*
ignoreregex =

Jails

[horde-tcp]
enabled  = true
filter   = horde-auth
action   = iptables-multiport[name=HordeTcp, port="http,https", protocol=tcp]
logpath  = /var/log/horde/horde.log
maxretry = 30

[horde-udp]
enabled  = true
filter   = horde-auth
action   = iptables-multiport[name=HordeUdp, port="http,https", protocol=udp]
logpath  = /var/log/horde/horde.log
maxretry = 30

Apache Virtual Hosts

Just like the default apache stuff that comes with fail2ban, but with the log settings tweaked to suit the typical virtual host arrangement on a linux server.

Jails

[apache-tcp]
enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=ApacheTcp, port="http,https", protocol=tcp]
logpath  = /var/log/httpd/error_log
           /var/www/vhosts/*/logs/error_log
           /var/www/vhosts/*/statistics/logs/error_log
maxretry = 20

[apache-udp]
enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=ApacheUdp, port="http,https", protocol=udp]
logpath  = /var/log/httpd/error_log
           /var/www/vhosts/*/logs/error_log
           /var/www/vhosts/*/statistics/logs/error_log
maxretry = 20

Retrieved from "http://wiki.ninjafocus.net/Fail2ban_recipes"