Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 5

7.2.7 Installing fail2ban

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

enabled = true
port = http
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

failregex = FAILED login for .*. from <HOST>
ignoreregex =

Restart fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n


7.2.8 Installing mod_evasive With fail2ban Support

mod_evasive is an Apache module for handling DDoS attacks. We will install it and configure fail2ban to auto ban/unban reported attacks.

apt-get install libapache2-mod-evasive
mkdir /var/lock/mod-evasive
chown www-data /var/lock/mod-evasive
ln -s /etc/alternatives/mail /bin/mail
nano /etc/apache2/mods-available/mod-evasive.conf

and paste:

<IfModule  mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 3
   DOSSiteCount 60
   DOSPageInterval 1
   DOSSiteInterval 2
   DOSBlockingPeriod 15
   DOSEmailNotify [email protected]
   DOSLogDir "/var/lock/mod_evasive"

Afterwards we activate the module and restart apache

a2enmod mod-evasive
/etc/init.d/apache2 restart

mod_evasive will not detect DDoS attacks. To ban them by IPTables, we have to create the file: /etc/fail2ban/filter.d/apache-dosevasive.conf:

# Fail2Ban configuration file
# Author: Xela
# $Revision: 728 $


# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
# Values:  TEXT
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

and to /etc/fail2ban/jail.local we add:


enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache*/*error.log
bantime = 600
maxretry = 10


7.3 Extending the Mail Server

7.3.1 Enhanced e-mail SPAM protection

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client,reject_rbl_client,reject_rbl_client, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart


7.3.2 Installing Postgrey

Postgrey will eliminate 99% of all spam emails you receive. To install it, run these commands:

apt-get install postgrey
/etc/init.d/postgrey start

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/ and add check_policy_service inet: to the smtpd_recipient_restrictions.

Then reload postfix's configuration:

postfix reload


7.4 Securing The Servers Using SSL

Last but not least you should follow this tutorial: Don't forget to execute the commands on the right server!


8 Maintaining Our Servers

You should regulary run this to keep your servers up-to-date:

apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade


9 Links/Credits/Sources

Since most is not from me, here are all the links used for this tutorial:

Share this page:

5 Comment(s)

Add comment


From: Yaroslav Halchenko at: 2012-05-22 02:56:45

Issue was fixed in 0.8.6 IIRC and present also in version in Debian stable 0.8.4-3+squeeze1:

as of few days back



From: at: 2012-05-22 17:26:39

It should be said that its not a good idea to run both nameservers:

  • on the same server
  • in the same datacenter
  • in the same network

Outages will lead to severe issues. A DNS server doesn't eat up much resources so it can be put on a cheap VPS somewhere else.

From: lol at: 2012-05-28 13:41:23

Hi, May I suggest to you to correct the failregex: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s As following: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s Because without it cause error in fail2ban: 2012-05-28 07:22:55,553 fail2ban.filter : ERROR No 'host' group in '^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s'

From: at: 2012-06-23 10:20:40

Thanks for the hint, I fixed the typo.

 @Yaroslav thx too, removed that part :)

From: Alexandre at: 2012-07-19 01:49:00

First thing: Thank you for this guide, seems i get everything working!!! I wanna know if would be possible you add on this guide how to setup the horde mail, i followed this: But only work if a do an second apache install on mailserver.... or if i join mailserver and webserver in one... I`m willing keep the setup of this guide with only one webserver, one mailserver, etc... Thanks in advice.