Fail2ban Mail Configuration

Discussion in 'ISPConfig 3 Priority Support' started by LinuxPete, Nov 24, 2013.

  1. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Hi,
    I'm using the perfect server for Centos 6. Recently I noticed that attempts to break into webmail have not been caught by fail2ban.

    I noticed my [postfix-tcpwrapper] in jail.local was not enabled.
    However the logpath is /var/log/postfix.log

    Does this need be /var/log/maillog?

    Or is this configured someplace else?

    Thanks
    Ray
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Fal2ban blocks attackers by IP address, the IP address of all postfix and imap connects of the webmail client is 127.0.0.1 (your own server), this is the case for all users that access webmail. Fail2ban can not block IP 127.0.0.1 as this would cause a lot of service to fail as many services use IP 127.0.0.1 (e.g. all local mysql connections). So fail2ban can not be used to protect webmail smtp / ima connects.

    If your webmail client writes a separate log for failed login attempts which contai the real IP address of the attacker, then you can configure fail2ban to read that log and uses it to ban outside IP addresses.
     
  3. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Thanks Till,
    But I believe this is just what is happening. I found more than 100 lines like the one below in secure log (/var/log/secure) for various non-existent IDs:

    secure-20131124:Nov 20 09:18:30 pillhill auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=director rhost=5.199.169.184
    secure-20131124:Nov 20 09:18:38 pillhill auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=director rhost=5.199.169.184

    I have since created an IPtables drop rule for this IP. But would like to know if I should still create a fail2ban rule in jail.local for the secure log? Or am I over reacting?

    Thanks

     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    To prevent future attacks, it might be good to add a rule for the secure log as well.
     
  5. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Thanks for all the help.
     

Share This Page