Fail2Ban config in EFA v4

Questions and answers about how to do stuff
Post Reply
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Fail2Ban config in EFA v4

Post by toddh »

Hello,

I am finally moving over to EFA v4 and tightening down my boxes.

Do I need to do any configuration for Fail2Ban in v4? Or just enable it in the EFA-Configure menu.

By default does it block IPs via Postfix?

Sorry if this has been covered. Was reading the forum but most of the references are for v3.x

Thanks!

Todd
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Fail2Ban config in EFA v4

Post by shawniverson »

It should block ssh and postfix repeat attempts by default.
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Re: Fail2Ban config in EFA v4

Post by toddh »

Thanks Shawn.

There is nothing else that needs to be configured? Just enable in EFA-Configure and it does the rest.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Fail2Ban config in EFA v4

Post by pdwalker »

You might want to consider adding the postfix-sasl jail as well, if you get a lot of failed sasl authentication attempts.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2Ban config in EFA v4

Post by jamerson »

pdwalker wrote: 09 Feb 2021 05:58 You might want to consider adding the postfix-sasl jail as well, if you get a lot of failed sasl authentication attempts.
this is a good idea, maybe add it out of the box.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
tesme33
Posts: 62
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: Fail2Ban config in EFA v4

Post by tesme33 »

Hi
i got annoyed because of all the login attempts

Code: Select all

Feb 25 21:14:12 efa4 postfix/smtpd[2436]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:12 efa4 postfix/smtpd[3328]: disconnect from unknown[87.246.7.229] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:14 efa4 postfix/smtpd[10446]: connect from unknown[5.34.207.79]
Feb 25 21:14:15 efa4 postfix/smtpd[11953]: connect from unknown[5.34.207.192]
Feb 25 21:14:15 efa4 postfix/smtpd[9753]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:16 efa4 postfix/smtpd[9753]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:18 efa4 postfix/smtpd[3328]: connect from unknown[5.34.207.79]
Feb 25 21:14:19 efa4 postfix/smtpd[10446]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:19 efa4 postfix/smtpd[11953]: warning: unknown[5.34.207.192]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:20 efa4 postfix/smtpd[10446]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:20 efa4 postfix/smtpd[11953]: disconnect from unknown[5.34.207.192] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
so i configured fail2ban to also capture SASL.
Ich was following the description here: https://bobcares.com/blog/fail2ban-postfix-sasl/ (just the name of the logfile needed to be maillog instead of mail.log)
afterwards a

Code: Select all

systemctl restart fail2ban.service
made the day .

And immediatly it catched the first IPs. :-)

Code: Select all

[root@efa4 log]# fail2ban-client status sasl
Status for the jail: sasl
|- Filter
|  |- Currently failed:	3
|  |- Total failed:	257
|  `- File list:	/var/log/maillog
`- Actions
   |- Currently banned:	3
   |- Total banned:	3
   `- Banned IP list:	5.34.207.192 87.246.7.229 5.34.207.79

Just in case anybody is interested
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Fail2Ban config in EFA v4

Post by pdwalker »

Here's a good and current working configuration for EFA v4 postfix-sasl by ajmind

viewtopic.php?p=19136#p19136

Helpful!
Post Reply