custom fail2ban jails for extending perfect server

Discussion in 'Installation/Configuration' started by progressed36, Mar 1, 2019.

  1. progressed36

    progressed36 New Member

    Hi There,

    I used the Perfect server install from this site but i feel that the 3 jails provided are just not enough any more. Im hoping to get a lively thread here solving multiple attack possibilities that we can prevent with custom jails.

    maillog:
    Code:
    postfix/smtps/smtpd[32258]: warning: unknown[185.222.209.71]: SASL PLAIN authentication failed:
    Im leaving the IP for everyone to see as this IP is a known attacker.

    jail.local
    Code:
    [pure-ftpd]
    enabled  = true
    port     = ftp
    filter   = pure-ftpd
    logpath  = /var/log/syslog
    maxretry = 3
    
    [dovecot]
    enabled = true
    filter = dovecot
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 5
    
    [postfix]
    enabled  = true
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 3
    
    [sasl]
    enabled  = true
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry = 3
    findtime = 3200
    bantime  = 6400
    
    postfix-sasl.conf (get it from github)
    Code:
    cd /etc/fail2ban/filter.d/
    wget https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/postfix-sasl.conf
    
    fail2ban-client status sasl
    Code:
    fail2ban-client status sasl
    
    Status for the jail: sasl
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     50
    |  `- File list:        /var/log/mail.log
    `- Actions
       |- Currently banned: 2
       |- Total banned:     3
       `- Banned IP list:   141.98.80.15 185.222.209.78
    
     
    Last edited: Mar 5, 2019
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which means that fail2ban is working fine and there is no issue with the jails. The issue must be that the ban method is not working then on your server so that fail2ban is banning successfully but the underlying ban method (normally iptables) is not really blocking the IP.
     
  3. progressed36

    progressed36 New Member

    I changed my post to a working answer. no more sasl authentication errors in my maillog. banned is banned for 6400 seconds. My guess is that the repeating offenders will stop it soon enough!
     
  4. progressed36

    progressed36 New Member

    Ive been adding some longterm jails to stop repeating offendors. The longterm finds repeaters within 3 days (15 tries) and bans them for a week for the SASL logins and SSH.

    Code:
    [dovecot]
    enabled = true
    filter = dovecot
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 5
    
    [postfix]
    enabled  = true
    port     = smtp,submission,smtps,smtpd
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 3
    
    [sasl]
    enabled  = true
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry = 3
    findtime = 3200
    bantime  = 6400
    
    [sshlongterm]
    port      = ssh
    logpath   = %(sshd_log)s
    banaction = iptables-multiport
    maxretry  = 15
    findtime  = 259200
    bantime   = 608400
    enabled   = true
    filter    = sshd
    
    [sasllongterm]
    enabled  = true
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry  = 15
    findtime  = 259200
    bantime   = 608400
    
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How does the longterm ban work? Seems it is possible to have two filters for same service.
     
  6. progressed36

    progressed36 New Member

    sure thing it works. See below my SSH (normal) and SSH (longterm). It reads the same values exept the bantime and findtime is different.
    Code:
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 6
    |  |- Total failed:     2271
    |  `- File list:        /var/log/auth.log
    `- Actions
       |- Currently banned: 3
       |- Total banned:     235
       `- Banned IP list:   165.16.54.228 81.74.229.246 79.188.46.110
    
    Code:
    Status for the jail: sshlongterm
    |- Filter
    |  |- Currently failed: 441
    |  |- Total failed:     2271
    |  `- File list:        /var/log/auth.log
    `- Actions
       |- Currently banned: 3
       |- Total banned:     3
       `- Banned IP list:   138.68.57.194 37.221.194.126 67.205.135.65
    the only thing im going to delete is the shortterm sasl jail find/bantime and let it revert to standard settings (600 seconds ban i believe) as i think these will interfear with the longterm sasl jail.
     
    Last edited: Mar 10, 2019
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What happens when at time
    T : IP short term banned for 10 minutes
    T+5 minutes: IP long term banned for a week
    T+10 minutes: Short term ban runs out and IP is unbanned
    Then the long time ban is cut short, after only 5 minutes.
     
  8. progressed36

    progressed36 New Member

    Different jail what only uses the same regex. Unbanning is per jail not per protocol.
     
  9. progressed36

    progressed36 New Member

    im running it now for a few weeks and these are my results for the last 7 days:

    Code:
    Status for the jail: sasllongterm
    |- Filter
    |  |- Currently failed: 906
    |  |- Total failed:     2261
    |  `- File list:        /var/log/mail.log
    `- Actions
       |- Currently banned: 19
       |- Total banned:     28
       `- Banned IP list:   185.222.209.210 51.255.86.223 185.234.219.100 27.74.241.212 185.234.219.52 185.234.219.57 185.234.219.67 185.234.219.51 185.234.219.60 141.98.80.27 185.234.216.138 185.234.218.239 185.234.219.56 141.98.10.35 185.211.245.170 185.234.219.69 185.234.219.58 185.234.218.176 185.211.245.198
    
    Code:
    Status for the jail: sshlongterm
    |- Filter
    |  |- Currently failed: 966
    |  |- Total failed:     39676
    |  `- File list:        /var/log/auth.log
    `- Actions
       |- Currently banned: 186
       |- Total banned:     487
       `- Banned IP list:   202.100.168.16 145.239.8.185 128.199.152.186 223.111.139.244 119.28.50.163 104.248.174.126 203.95.212.41 14.45.233.239 87.16.14.109 118.107.233.29 122.226.181.165 54.38.185.87 118.89.232.60 104.248.242.125 218.15.205.69 139.59.96.172 27.150.169.127 182.61.164.210 91.189.176.230 118.89.225.208 202.51.110.214 181.215.132.4 186.103.173.226 128.199.145.205 178.128.201.224 177.131.121.50 118.32.193.109 36.89.56.175 222.127.49.228 123.207.139.64 120.52.120.166 200.60.60.84 111.230.110.87 111.231.83.112 41.87.72.102 219.117.230.166 115.42.121.221 139.199.181.192 36.156.24.98 83.15.183.138 36.156.24.97 118.122.124.78 103.40.29.135 177.71.74.230 202.124.185.66 189.45.37.254 218.92.0.179 120.132.30.116 111.231.144.219 193.112.213.48 188.11.67.165 103.44.132.44 178.62.239.228 175.182.227.144 177.74.144.198 222.174.55.2 125.215.207.40 187.16.96.35 106.12.205.132 123.136.161.147 139.59.41.6 190.144.69.178 111.230.100.191 58.242.82.13 117.187.12.126 118.89.60.84 139.59.105.141 178.128.98.86 123.59.96.215 165.227.177.239 61.76.173.244 73.53.95.248 5.39.77.167 82.227.139.213 219.78.217.119 122.199.152.114 117.48.212.113 140.143.230.161 121.201.78.33 157.230.244.236 118.24.122.36 187.4.98.235 103.245.181.2 79.61.51.195 178.128.85.48 115.47.160.32 14.51.7.4 60.54.119.170 117.218.54.161 206.189.216.56 118.185.32.18 104.248.112.131 157.230.241.147 134.196.160.15 190.147.178.100 121.31.56.58 149.202.148.185 139.199.100.110 103.108.144.134 139.59.94.192 180.182.47.132 118.25.97.93 46.218.116.106 24.193.136.142 37.59.116.10 117.218.78.97 193.32.163.66 106.12.212.192 118.25.8.128 118.24.112.191 59.120.243.8 142.93.232.144 179.184.217.83 128.199.229.67 94.76.179.235 148.66.132.232 82.232.212.62 203.147.79.174 129.204.10.180 115.95.178.170 51.75.202.58 122.167.83.4 36.156.24.95 36.156.24.96 128.199.212.120 172.81.238.222 202.43.144.66 115.159.25.60 132.232.23.12 132.145.34.91 92.151.18.191 112.85.42.229 180.250.205.114 103.248.83.76 180.76.150.87 122.165.207.151 178.128.202.35 121.8.142.250 116.213.196.231 58.87.92.159 101.89.150.214 223.111.139.247 96.78.175.37 51.255.174.215 201.235.19.122 123.30.174.85 118.24.99.163 61.93.201.198 159.65.4.64 178.62.245.107 159.89.205.213 52.234.134.187 123.206.88.24 189.58.98.21 66.70.130.144 107.170.105.164 210.54.37.139 119.28.1.219 82.80.140.33 119.146.148.46 58.144.150.233 159.89.54.241 168.227.99.10 54.38.192.96 194.243.6.150 106.12.203.32 80.25.123.28 128.199.102.157 43.241.234.126 51.38.239.192 202.29.70.42 114.34.30.113 118.89.155.117 106.12.210.229 106.12.38.109 159.89.12.81 103.47.81.216 110.185.103.79 182.61.54.63 142.93.213.218 212.51.151.159 104.248.169.18 140.143.151.93 175.139.183.57 192.241.175.250 76.201.57.187
    
    There you go. As you can see it works and nicely too! imagine when the longterm ban would not have been in place. my shortterm would be a lot busier!
     
  10. progressed36

    progressed36 New Member

    and here is my sshd normal:
    Code:
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 3
    |  |- Total failed:     39676
    |  `- File list:        /var/log/auth.log
    `- Actions
       |- Currently banned: 3
       |- Total banned:     4724
       `- Banned IP list:   189.90.255.173 95.242.177.213 80.37.231.233
    
     

Share This Page