Toughening up

Discussion in 'General' started by Toucan, Jan 19, 2013.

  1. Toucan

    Toucan New Member

    Running debian lenny ispconfig 3.0.4.6 on a VM

    Trying to work out why the server each day comes under an increased load at a certain time and becomes unresponsive, I've had a look into the logs.

    One common thing is it keeps getting attempts to connect via ftp, literally 100s of times. The attempts are always failed, but I think leads to the higher load.

    To try and slow this a little, I've attempted to add ftp to fail2ban and all appeared to work.

    I used this thread as a guide.
    http://www.howtoforge.com/forums/showthread.php?t=40177

    The other major attempts that keep failing are pop3 connections. To help fight these off, do I simple change the following records to true?

    Code:
    [postfix]
    
    enabled  = false
    port     = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail.log
    
    
    [couriersmtp]
    
    enabled  = false
    port     = smtp,ssmtp
    filter   = couriersmtp
    logpath  = /var/log/mail.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courierauth]
    
    enabled  = false
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = courierlogin
    logpath  = /var/log/mail.log
    
    
    [sasl]
    
    enabled  = false
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    logpath  = /var/log/mail.log
    
    Or is there a better way to deal with these attempts?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. Toucan

    Toucan New Member

    Thank you. I'll work that this afternoon. Much appreciated
     
  4. Toucan

    Toucan New Member

    Thanks - yes - that worked with lenny.

    One last thing, now i have that custom filter for fail2ban and pureftp, should i remove the following line:

    Code:
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
    from
    /etc/fail2ban/filter.d/pure-ftpd.conf

    Looking at it, the entire filter is no longer needed yes?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you can remove that now. After removal and restart of fail2ban, you might want to test it by doing some wrong FTP logins to see if the banning works.
     
  6. Toucan

    Toucan New Member

    I still need to manually test it, but the log is certainly reporting that it is banning FTP attempts. 20 or so bans this morning.

    Thank you.
     

Share This Page