Hello,
I am finally moving over to EFA v4 and tightening down my boxes.
Do I need to do any configuration for Fail2Ban in v4? Or just enable it in the EFA-Configure menu.
By default does it block IPs via Postfix?
Sorry if this has been covered. Was reading the forum but most of the references are for v3.x
Thanks!
Todd
Fail2Ban config in EFA v4
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Fail2Ban config in EFA v4
It should block ssh and postfix repeat attempts by default.
Re: Fail2Ban config in EFA v4
Thanks Shawn.
There is nothing else that needs to be configured? Just enable in EFA-Configure and it does the rest.
There is nothing else that needs to be configured? Just enable in EFA-Configure and it does the rest.
Re: Fail2Ban config in EFA v4
You might want to consider adding the postfix-sasl jail as well, if you get a lot of failed sasl authentication attempts.
Re: Fail2Ban config in EFA v4
this is a good idea, maybe add it out of the box.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2Ban config in EFA v4
Hi
i got annoyed because of all the login attempts
so i configured fail2ban to also capture SASL.
Ich was following the description here: https://bobcares.com/blog/fail2ban-postfix-sasl/ (just the name of the logfile needed to be maillog instead of mail.log)
afterwards a
made the day .
And immediatly it catched the first IPs.
Just in case anybody is interested
i got annoyed because of all the login attempts
Code: Select all
Feb 25 21:14:12 efa4 postfix/smtpd[2436]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:12 efa4 postfix/smtpd[3328]: disconnect from unknown[87.246.7.229] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:14 efa4 postfix/smtpd[10446]: connect from unknown[5.34.207.79]
Feb 25 21:14:15 efa4 postfix/smtpd[11953]: connect from unknown[5.34.207.192]
Feb 25 21:14:15 efa4 postfix/smtpd[9753]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:16 efa4 postfix/smtpd[9753]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:18 efa4 postfix/smtpd[3328]: connect from unknown[5.34.207.79]
Feb 25 21:14:19 efa4 postfix/smtpd[10446]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:19 efa4 postfix/smtpd[11953]: warning: unknown[5.34.207.192]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:20 efa4 postfix/smtpd[10446]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:20 efa4 postfix/smtpd[11953]: disconnect from unknown[5.34.207.192] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Ich was following the description here: https://bobcares.com/blog/fail2ban-postfix-sasl/ (just the name of the logfile needed to be maillog instead of mail.log)
afterwards a
Code: Select all
systemctl restart fail2ban.service
And immediatly it catched the first IPs.
Code: Select all
[root@efa4 log]# fail2ban-client status sasl
Status for the jail: sasl
|- Filter
| |- Currently failed: 3
| |- Total failed: 257
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 5.34.207.192 87.246.7.229 5.34.207.79
Just in case anybody is interested
Re: Fail2Ban config in EFA v4
Here's a good and current working configuration for EFA v4 postfix-sasl by ajmind
viewtopic.php?p=19136#p19136
Helpful!
viewtopic.php?p=19136#p19136
Helpful!