Hi
did anybody try fail2ban with EFA4 already ?
thx
fail2ban compliant ?
Re: fail2ban compliant ?
What do you mean by "try fail2ban"?
I am running fail2ban on my eFa test server, and it is watching e.g. ssh logs and banning people.
I am running fail2ban on my eFa test server, and it is watching e.g. ssh logs and banning people.
-
- Posts: 83
- Joined: 16 Oct 2018 05:55
- Location: Portugal
Re: fail2ban compliant ?
Hi there,
Fail2ban is always compliant you install the package and define the rules and it Will analyze system logs and do the blocking what we can do is improve and add fail2ban to efa menu, including add and remove ips do block
Fail2ban is always compliant you install the package and define the rules and it Will analyze system logs and do the blocking what we can do is improve and add fail2ban to efa menu, including add and remove ips do block
Re: fail2ban compliant ?
maybe a better question would be - how do we configure fail2ban to notice the proper messages from our maillog and block all those ips at that are constantly trying to delivery spam, or brute force checking email addresses?
out of the box fail2ban doesn't do anything with postfix.
out of the box fail2ban doesn't do anything with postfix.
Re: fail2ban compliant ?
HiAlleyviper wrote: ↑25 Jul 2019 12:45 Hi there,
Fail2ban is always compliant you install the package and define the rules and it Will analyze system logs and do the blocking what we can do is improve and add fail2ban to efa menu, including add and remove ips do block
Sorry to come back so late.
First it looks like that fail2 ban is not compliant out of the box.
How to check
Code: Select all
[root@efa4 ~]# fail2ban-client show sshd
2020-05-24 07:48:16,682 fail2ban [19670]: ERROR NOK: ('Invalid command',)
Invalid command
Code: Select all
[root@efa4 fail2ban]# ipset list
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 6000
Size in memory: 76536
References: 1
Number of entries: 20
Members:
14.192.17.150 timeout 5413
222.186.15.10 timeout 2811
222.186.30.218 timeout 4409
222.186.30.112 timeout 1814
222.186.190.14 timeout 475
157.230.153.75 timeout 1214
190.60.200.126 timeout 1092
107.170.20.247 timeout 987
222.186.175.23 timeout 2138
106.12.163.87 timeout 1706
103.207.36.223 timeout 3242
222.186.31.166 timeout 3766
222.186.180.130 timeout 4082
222.186.30.167 timeout 3444
223.247.153.244 timeout 1542
61.160.52.58 timeout 273
222.186.15.115 timeout 4746
111.229.33.175 timeout 2010
222.186.42.136 timeout 1146
222.186.42.7 timeout 5066
[root@efa4 fail2ban]#
Now digging around how to solve.
Re: fail2ban compliant ?
My version of fail2ban-client does not have a "show" subcommand. Are you sure that commadn is correct? The error message you are getting also suggests that it doesn't support the "show" subcommand.
Try this instead:
Try this instead:
Code: Select all
# dump the configuration so we can see what is really enabled
$ fail2ban-client -d
# show the status of the fail2ban
$ fail2ban-client status
# I have the postfix-sasl jail configured only.
$ fail2ban-client status postfix-sasl
Re: fail2ban compliant ?
Hi
looks like you are right. The show command is also not present im my fail2ban-client. Dont ask me where i saw this.
and the rule is in my iptables
Somehow i was to fast today in the monring in judging.
Sorry
But now looking into my /var/log/maillog i will now also start thinking about a postfix configuration.
You said you have the postfix jail switched on. Does this help for these issues ?
looks like you are right. The show command is also not present im my fail2ban-client. Dont ask me where i saw this.
Code: Select all
[root@efa4 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 18
| |- Total failed: 79506
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 43
|- Total banned: 6769
`- Banned IP list: 218.4.163.146 118.27.9.244 138.36.102.134 106.12.197.52 222.186.15.158 188.131.173.220 222.186.15.115 222.186.30.167 200.205.188.74 64.225.25.59 5.196.63.250 209.141.37.175 187.155.200.84 222.186.30.218 222.186.42.155 119.29.26.222 45.114.85.82 68.183.110.49 222.186.30.76 222.186.30.35 51.38.128.30 152.136.144.86 168.232.131.62 92.154.121.54 49.235.39.217 128.199.85.251 203.176.84.54 117.50.13.170 139.198.5.79 222.186.180.142 193.38.139.103 51.89.68.141 194.61.55.164 206.81.14.48 106.52.24.215 222.186.42.136 51.75.78.128 46.140.151.66 222.186.180.130 111.230.248.93 159.89.157.75 95.84.146.201 222.186.30.57
[root@efa4 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
[root@efa4 ~]# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-ipset
Code: Select all
REJECT tcp -- anywhere anywhere multiport dports ssh match-set f2b-sshd src reject-with icmp-port-unreachable
Sorry
But now looking into my /var/log/maillog i will now also start thinking about a postfix configuration.
Code: Select all
[root@efa4 log]# grep "SASL LOGIN authentication failed" maillog | wc -l
3886
Re: fail2ban compliant ?
Hugely!
My server is only accessible via the various mail protocols, so I get lots of failed authentication attempts, and fail2ban now picks them all up.
Since all my mail users are internal, there should be no ssl authentication, except for very rare circumstances. 3 failed attempts in 4 hours? blocked for 48h.
Here is my configuration:
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
banaction = iptables-multiport
bantime = 48h
maxretry = 3
findtime = 240m
logpath = %(postfix_log)s
backend = %(postfix_backend)s
My server is only accessible via the various mail protocols, so I get lots of failed authentication attempts, and fail2ban now picks them all up.
Since all my mail users are internal, there should be no ssl authentication, except for very rare circumstances. 3 failed attempts in 4 hours? blocked for 48h.
Here is my configuration:
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
banaction = iptables-multiport
bantime = 48h
maxretry = 3
findtime = 240m
logpath = %(postfix_log)s
backend = %(postfix_backend)s