Section 6.5, ISPConfig 3 Manual

Discussion in 'General' started by linus3x, Oct 21, 2010.

  1. linus3x

    linus3x New Member

    First off, you guys did a great job on the ISPConfig 3 manual - very easy to follow.

    I just wanted to point out one thing that I noticed. It's in section 6.5 - How Do I Make fail2ban Monitor Additional Services? When I followed that section, I was getting errors like the following in my fail2ban log:

    Code:
    fail2ban.comm   : WARNING Invalid command: ['set', 'courierimap', 'failregex', 'imapd: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
    I saw those for courierpop3, courierimap, and SASL. I investigated and found that the /etc/fail2ban/jail.conf file for the fail2ban that was downloaded from the Debian repository already had sections for those 3 in it. They just weren't enabled. Further, there were already /etc/fail2ban/filter.d/*.conf files for those sections included.

    Note: the courier sections were named differently - I think pop3d and imap?

    I basically followed Thomas's instructions at the bottom of this post to fix it.

    Edit the conf file:

    Code:
    vi /etc/fail2ban/jail.conf
    Remove the failregex line and update the filter:

    Code:
    [courierimap]
    
    enabled = true
    port = imap2
    filter = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5
    
    Becomes:

    Code:
    [courierimap]
    
    enabled = true
    port = imap2
    filter = [B]courierimap[/B]
    logpath = /var/log/mail.log
    maxretry = 5
    
    Create a filter file /etc/fail2ban/filter.d/courierimap.conf with the following content:

    Code:
    vi /etc/fail2ban/filter.d/courierimap.conf
    Code:
    # Fail2Ban configuration file
    #
    # $Revision: 100 $
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = imapd: LOGIN FAILED.*ip=\[.*127\.0\.0\.1\]
    
    BTW, I added ignoreregex to this one because failed squirrelmail logins were generating failed logins on 127.0.0.1 no matter what the end user's IP address really was.

    Again - great job on the manual - it's been invaluable in getting setup.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Thanks a lot - I will review that chapter. :)
     

Share This Page