#1  
Old 19th January 2013, 18:05
Toucan Toucan is offline
Senior Member
  
Join Date: Dec 2009
Posts: 464
Thanks: 76
Thanked 35 Times in 29 Posts
Default Toughening up
Running debian lenny ispconfig 3.0.4.6 on a VM

Trying to work out why the server each day comes under an increased load at a certain time and becomes unresponsive, I've had a look into the logs.

One common thing is it keeps getting attempts to connect via ftp, literally 100s of times. The attempts are always failed, but I think leads to the higher load.

To try and slow this a little, I've attempted to add ftp to fail2ban and all appeared to work.

I used this thread as a guide.
http://www.howtoforge.com/forums/showthread.php?t=40177

The other major attempts that keep failing are pop3 connections. To help fight these off, do I simple change the following records to true?

Code:
[postfix]

enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
Or is there a better way to deal with these attempts?
Reply With Quote
Sponsored Links
  #2  
Old 21st January 2013, 10:16
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,181 Times in 3,200 Posts
Default
The Perfect server guide for debian squeeze has a improved fail2ban setup when compared to the lenny guide, I expect that the squeeze setup should work for lenny as well:

http://www.howtoforge.com/perfect-se...ispconfig-3-p5
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st January 2013, 11:21
Toucan Toucan is offline
Senior Member
  
Join Date: Dec 2009
Posts: 464
Thanks: 76
Thanked 35 Times in 29 Posts
Default
Thank you. I'll work that this afternoon. Much appreciated
Reply With Quote
  #4  
Old 21st January 2013, 21:16
Toucan Toucan is offline
Senior Member
  
Join Date: Dec 2009
Posts: 464
Thanks: 76
Thanked 35 Times in 29 Posts
Default
Thanks - yes - that worked with lenny.

One last thing, now i have that custom filter for fail2ban and pureftp, should i remove the following line:

Code:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
from
/etc/fail2ban/filter.d/pure-ftpd.conf

Looking at it, the entire filter is no longer needed yes?
Reply With Quote
  #5  
Old 22nd January 2013, 09:00
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,181 Times in 3,200 Posts
Default
I guess you can remove that now. After removal and restart of fail2ban, you might want to test it by doing some wrong FTP logins to see if the banning works.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 22nd January 2013, 11:58
Toucan Toucan is offline
Senior Member
  
Join Date: Dec 2009
Posts: 464
Thanks: 76
Thanked 35 Times in 29 Posts
 
Default
I still need to manually test it, but the log is certainly reporting that it is banning FTP attempts. 20 or so bans this morning.

Thank you.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +2. The time now is 10:53.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.