Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th December 2009, 18:32
taittinger_hi taittinger_hi is offline
Junior Member
 
Join Date: Dec 2009
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Question fail2ban filter for Kerio Mailserver

Has anyone made a fail2ban filter configuration to block random attempts on POP3 (and SMTP) for kerio mailserver?

Fail2ban would be great to block these attempts in the kerio warning log:

Code:
[20/Dec/2009 16:35:59] POP3: User user<_at_>example doesn't exist. Attempt from IP address XXX.XXX.XX.XX
and

Code:
[22/Nov/2009 00:05:01] POP3: Invalid password for user user<_at_>example. Attempt from IP address XXX.XXX.XX.XX

Fail2ban works great with the standard filters included in the package, but I can't find a working config for kerio unfortunately ...

Anyone managed to write a working filter config for fail2ban?

Help would be really appreciated!

Thanks,

Tom.
Reply With Quote
Sponsored Links
  #2  
Old 21st December 2009, 14:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

You can try this as a regular expression for the filter:

Code:
failregex = POP3: Invalid password for user *. Attempt from IP address \[.*:<HOST>\]
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 22nd December 2009, 00:34
taittinger_hi taittinger_hi is offline
Junior Member
 
Join Date: Dec 2009
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for your suggestion Falko,

But something is still not working, when I test the expression with fail2ban-regex, I get:

---

login$ fail2ban-regex "POP3: User blabla@example.com doesn't exist. Attempt from IP address 10.0.0.233" "POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\]"

Running tests
=============

Use regex line : POP3: User *. doesn't exist. Attempt from IP addre...
Use single line: POP3: User blabla@example.com doesn't exist. Atte...


Results
=======

Failregex
|- Regular expressions:
| [1] POP3: User *. doesn't exist. Attempt from IP address \[.*:<HOST>\]
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

---

I don't see why it returns no matches?!

Any ideas?

Thanks!
Reply With Quote
  #4  
Old 22nd December 2009, 16:50
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Maybe you need to remove the dot after the asterisk:
Code:
failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 23rd December 2009, 00:24
taittinger_hi taittinger_hi is offline
Junior Member
 
Join Date: Dec 2009
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

I tried this, but still no matches ...

This is the query:

user# fail2ban-regex "POP3: Invalid password for user user@example.com. Attempt from IP address 10.0.0.31" "POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]"

This the result:

Running tests
=============

Use regex line : POP3: Invalid password for user * Attempt from IP ...
Use single line: POP3: Invalid password for user user@example.com. ...


Results
=======

Failregex
|- Regular expressions:
| [1] POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Why, why, why

Thanks for any new insights!

Tom
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
ISP Config hesitation when opening web pages frankb Installation/Configuration 7 15th December 2008 14:06
network issues now it says "401 The web site is blocked by administrator" Check General 3 26th February 2008 15:22
Apache2 Freezes celtic Server Operation 31 28th May 2007 18:18
php script injections Grizzly General 21 18th July 2006 09:55


All times are GMT +2. The time now is 05:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.