Fail2ban – Prevent Postfix Brute Force

Installation

# apt-get install fail2ban

To limit memory usage, add to /etc/default/fail2ban:

+ulimit -s 256

Configuration
Local config file
Create a local config file /etc/fail2ban/jail.local to override settings in jail.conf:

SSH
To ban authentication via SSH after 3 failed attempts add the following to /etc/fail2ban/jail.local:

[ssh]
enabled   = true
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
maxretry  = 3

Restart:

# /etc/init.d/fail2ban restart

Postfix and Dovecot
To ban authentication to Postfix and Dovecot after 3 failed attempts add the following to /etc/fail2ban/jail.local:

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry  = 3

[sasl]
enabled   = true
port      = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter    = sasl
logpath   = /var/log/mail.log
maxretry  = 3

Fail2ban (Debian Squeeze) isn’t shipped with a configuration for Dovecot, so create /etc/fail2ban/filter.d/dovecot.conf:

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =

Restart fail2ban:

# /etc/init.d/fail2ban restart

Apache
To ban IPs after 3 failed login attempts add the following to /etc/fail2ban/jail.local:

[apache]
enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s