fail2ban, postfix & firewall

Discussion in 'Server Operation' started by SamTzu, Nov 14, 2014.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    I have an interesting question for you.

    How would you setup a fail2ban service to send automatic ban notification's if you have blocked the servers SMTP connections on the border gateway firewall?

    Postfix does not have (and will not have) releayhost defined to ensure no SPAM (or as little SPAM as possible) is sent from the webserver. All the websites have to define proper SMTP authentication server and credentials to send email (but that is another story.)

    All the email should travel trough the SMTP server using proper authentication. How ever fail2ban does not seem to have separate configuration for SMTP settings. I'm wondering if it is possible to setup SMTP settings (and maybe credentials) for fail2ban?
     
  2. Desp

    Desp Member

    Sorry, but I've been lost in your question. Can you be more clear please.
    Do you wan't fail2ban to send you an email when ever it ban someone trying to access your SMTP with wrong password?

    Fail2ban will usually remove the bans after 60 min if you don't set the ban time yourself.
    Here is some lines from my fail2ban logs, and I set the bans almost for ever.

    2014-11-18 21:28:59,000 fail2ban.jail : INFO Creating new jail 'postfix'
    2014-11-18 21:28:59,000 fail2ban.jail : INFO Jail 'postfix' uses Gamin
    2014-11-18 21:28:59,199 fail2ban.jail : INFO Jail 'postfix' started
    2014-11-19 10:48:26,998 fail2ban.actions: WARNING [postfix] Ban 58.250.0.0
    2014-11-20 19:27:05,202 fail2ban.actions: WARNING [postfix] Ban 190.0.0.0

    Is this what you are looking for?
     
  3. SamTzu

    SamTzu Member HowtoForge Supporter

    Nope.

    How would you setup a fail2ban service to send automatic ban notification's if you have blocked the servers SMTP connections on the border gateway firewall?

    I don't want those notifications. I want to send them where they can do some good. ie. The offending network admin. But that seems to be impossible to configure on the fail2ban level and I don't want to enable direct SMTP out on the server level.
     
  4. Desp

    Desp Member

    Now I get what you mean :)
    I think you will need to write your own script to read from fail2ban logs then do an IP whois and catch the abuse email for that IP and then send them the abuse email complaining about the spam or the scan. More than this you maybe want to do it for all services running on your server and not only SMTP.

    In other hand your IP might be classified as spam since your system will be sending repeated emails for each bot try to say hello to your server or knocking on your SSH door.
    Assuming that you get 10 scans from same subnet, you will send 10 emails to same abuse team, and that will be in daily basis.
    Isn't better to just disable email notifications in fail2ban and leave it do it's job silently? Just my thoughts
     
    Last edited: Nov 21, 2014

Share This Page