Fail2ban for dovecot and postfix
Fail2ban configuration example for dovecot(POP/IMAP) and postfix(SMTP).
This example uses centos 5.x and logs security events to /var/log/secure and mail related events to /var/log/maillog
Daemons used are dovecot for POP3/IMAP and postfix for SMTP.
Assuming you have fail2ban installed and running, so iptables.
Firstly add to /etc/fail2ban/jail.conf:
jail.conf[sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=admin@ourdomain.com] logpath = /var/log/maillog bantime = 36000 maxretry = 2 [dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Dovecot-Secure, dest=admin@ourdomain.com] logpath = /var/log/secure maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1 [dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Dovecot-Maillog, dest=admin@ourdomain.com] logpath = /var/log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1 [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Postfix, dest=admin@ourdomain.com] logpath = /var/log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1
Also you have to create the necessary filter rule files under /etc/fail2ban/filter.d
dovecot-maillog.conf
[Definition] # to test set up use this # /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).* failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
dovecot-secure.conf
[Definition] # to test set up use this # /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf failregex = (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) ignoreregex =
dovecot-sasl.conf
# Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex = \[<HOST>\]: SASL login authentication failed failregex = \[<HOST>\]: SASL PLAIN authentication failed: authentication failure failregex = \[<HOST>\]: SASL LOGIN authentication failed: authentication failure # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
dovecot-postfix.conf
# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = reject: RCPT from (.*)\[<HOST>\]: 554 failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Fire fail2ban service and you are good to go :)
- Posted by Michael Cossenas · March 23, 2016
