Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 29th March 2013, 16:09
Lionheart82 Lionheart82 is offline
Member
 
Join Date: May 2011
Posts: 40
Thanks: 3
Thanked 4 Times in 4 Posts
Default

First of all, install manually the latest version from here:

https://github.com/fail2ban/fail2ban/
I strongly recommend that as it fixes many many bugs and has a lot more rules to play with

You should remove any repos first though

My rule is this one, the default if i remember correctly.

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

Also yes, since the hacker knew the pass you can't see any failure but you can try and test the older logs, eg /var/log/mail_2.log etc...
Reply With Quote
The Following User Says Thank You to Lionheart82 For This Useful Post:
arraken (29th March 2013)
Sponsored Links
  #12  
Old 29th March 2013, 16:17
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 38
Thanks: 6
Thanked 1 Time in 1 Post
Default

if he isn't that good with compiling his own stuff i would stay with apt-get cause when there's an upgrade or bugfix the control panel tells you about it.
And it's easier to maintain that way.
Reply With Quote
  #13  
Old 29th March 2013, 16:26
Lionheart82 Lionheart82 is offline
Member
 
Join Date: May 2011
Posts: 40
Thanks: 3
Thanked 4 Times in 4 Posts
Default

Quote:
Originally Posted by compugraphix View Post
if he isn't that good with compiling his own stuff i would stay with apt-get cause when there's an upgrade or bugfix the control panel tells you about it.
And it's easier to maintain that way.
I am a centos user and our repos are not updated any more, well since fail2ban moved to githhub and its logical since changes occur every minute

Also a tip, try to use a high number of minutes to ban or use -1 for infinite time.
Reply With Quote
  #14  
Old 29th March 2013, 16:53
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 38
Thanks: 6
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Lionheart82 View Post
I am a centos user and our repos are not updated any more, well since fail2ban moved to githhub and its logical since changes occur every minute

Also a tip, try to use a high number of minutes to ban or use -1 for infinite time.
OK and i am a debian user so i understand your decission to manually install it then
Reply With Quote
  #15  
Old 29th March 2013, 22:47
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

ok. apparently i was feeling save too early. it started again. this time changing the password didnt help. i even disabled the whole suspected domain in ispconfig and it didnt help

I'm out of ideas.

@Lionheart82: you talked about configuring monit to find out who sends the mails. Do you have any concrete tips for that. I never worked with monit before.

PS: maybe the following message from my mail.warn is useful:

Mar 29 22:43:35 server1 postfix/smtpd[7602]: warning: Message delivery request rate limit exceeded: 106 from unknown[90.146.13.50] for service smtp
Reply With Quote
  #16  
Old 29th March 2013, 22:58
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 38
Thanks: 6
Thanked 1 Time in 1 Post
Default

then he is going to be blocked, it takes 5 minutes to block an ip with fail2ban
in the controlpanel do you see the show fail2ban log?
are there ip's getting banned?
Reply With Quote
  #17  
Old 29th March 2013, 23:07
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

they ip isnt getting blocked. is my fail2ban setup wrong? do i have to restart it or something?

i still get lots of
Code:
Mar 29 23:04:52 server1 postfix/smtpd[11734]: warning: Message delivery request rate limit exceeded: 104 from unknown[1.2.3.4] for service smtp
Mar 29 23:04:52 server1 postfix/smtpd[10961]: warning: Message delivery request rate limit exceeded: 105 from unknown[1.2.3.4] for service smtp
Mar 29 23:04:52 server1 postfix/smtpd[10990]: warning: Message delivery request rate limit exceeded: 106 from unknown[1.2.3.4] for service smtp

Last edited by arraken; 30th March 2013 at 10:35.
Reply With Quote
  #18  
Old 29th March 2013, 23:09
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 38
Thanks: 6
Thanked 1 Time in 1 Post
Default

did you put in a line for smtpd?
in the fail2ban configuration?

something like:

[postfix]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log

and restart fail2ban
/etc/init.d/fail2ban restart

if you have debian that is

Last edited by compugraphix; 29th March 2013 at 23:21.
Reply With Quote
  #19  
Old 29th March 2013, 23:22
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

i have the following:

[postfix]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5

but does this rule also work if the spammer apparently has a valid account? or does it only block if someone tries to send mails and get's rejected multiple times?
Reply With Quote
  #20  
Old 29th March 2013, 23:26
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
 
Default

another question: i have tried to ban a suspictious ip via route add -host 90.146.13.50 reject, but when i try iptables -L i dont see the ip listed anywhere. is this normal?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 16:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.