#1  
Old 16th July 2013, 16:43
dynamind dynamind is offline
Member
 
Join Date: Mar 2011
Location: Mödling bei Wien
Posts: 62
Thanks: 21
Thanked 9 Times in 5 Posts
Send a message via Skype™ to dynamind
Default fail2ban not working?

I've been monitoring the mail.log and curiously just in this moment
I found

http://pastebin.com/ZgnNB953

fail2ban doesn't respond? I had to stop that with iptables drop.

Quote:
cat /etc/fail2ban/filter.d/sasl.conf
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Quote:
cat /etc/fail2ban/jail.local
# Fail2Ban configuration file

[DEFAULT]

banaction = route

[pureftpd]

enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3


[sasl]

enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5


[courierpop3s]

enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5


[courierimap]

enabled = true
port = imap2
filter = courierimap
logpath = /var/log/mail.log
maxretry = 5


[courierimaps]

enabled = true
port = imaps
filter = courierimaps
logpath = /var/log/mail.log
maxretry = 5
Quote:
service fail2ban status
[ ok ] Status of authentication failure monitor:[....] fail2ban is running.

bR

Last edited by dynamind; 16th July 2013 at 17:16. Reason: added more info
Reply With Quote
Sponsored Links
  #2  
Old 14th September 2013, 01:28
alexa6moon alexa6moon is offline
Junior Member
 
Join Date: Sep 2013
Location: Ukraine Dnipropetrovks
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I also have some trouble when follow instruction install ISPConfig 3 in Debian
18 Install fail2ban
/etc/init.d/fail2ban restart
[ ok ] Restarting authentication failure monitor: fail2ban.
I change
nano /etc/fail2ban/jail.local
filter = pureftpd
on
filter = pure-ftpd
but still appear
[ ok ] Restarting authentication failure monitor: fail2ban.

Please me need help!

Last edited by alexa6moon; 14th September 2013 at 01:33.
Reply With Quote
  #3  
Old 14th September 2013, 22:16
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Multiple problems here.

1. http://regexr.com?36beu -- the regex doesn't match
2. banaction = route -> is this wanted? Don't know what route does, but it's not IPTables (at least not the default)
3. The restart is fine... nothing wrong there..

you could try:

^.* warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
__________________
Rackster Internet Services's presences:
Official | Open Source | Github | Facebook | Twitter
Reply With Quote
  #4  
Old 15th September 2013, 12:00
scarleo scarleo is offline
Junior Member
 
Join Date: Sep 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'd say go with CSF instead, it is much more powerful than Fail2ban and really easy to setup: http://configserver.com/cp/csf.html

It's almost out of the box, very little configuration needed.
Reply With Quote
  #5  
Old 16th September 2013, 20:10
concept21 concept21 is offline
Senior Member
 
Join Date: Dec 2011
Posts: 142
Thanks: 27
Thanked 18 Times in 13 Posts
Thumbs up

fail2ban sasl filter works for my Ubuntu 10.04.

I have read from other posts here. The procedure is simple.


Edit the failregex line in /etc/fail2ban/filter.d/sasl.conf as:

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed




Edit /etc/fail2ban/jail.local:

[sasl]
..
logpath = /var/log/mail.warn




DONE!
This picture shows how fail2ban blocks hackers attacking from 3 different mail protocols.
Attached Images
 

Last edited by concept21; 17th September 2013 at 18:38. Reason: Add photo
Reply With Quote
  #6  
Old 18th September 2013, 12:50
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
 
Default

According to their home page CSF may require rewriting some regex rules on Debian. I don't like that at all.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is no working mentes Installation/Configuration 7 6th August 2011 21:19
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Fail2ban not working with FC10 eeyore HOWTO-Related Questions 9 9th February 2009 10:25
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 06:09
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 20:12


All times are GMT +2. The time now is 17:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.