Page 1 of 1
Fail2Ban config in EFA v4
Posted: 28 Jan 2021 15:45
by toddh
Hello,
I am finally moving over to EFA v4 and tightening down my boxes.
Do I need to do any configuration for Fail2Ban in v4? Or just enable it in the EFA-Configure menu.
By default does it block IPs via Postfix?
Sorry if this has been covered. Was reading the forum but most of the references are for v3.x
Thanks!
Todd
Re: Fail2Ban config in EFA v4
Posted: 31 Jan 2021 15:22
by shawniverson
It should block ssh and postfix repeat attempts by default.
Re: Fail2Ban config in EFA v4
Posted: 01 Feb 2021 20:14
by toddh
Thanks Shawn.
There is nothing else that needs to be configured? Just enable in EFA-Configure and it does the rest.
Re: Fail2Ban config in EFA v4
Posted: 09 Feb 2021 05:58
by pdwalker
You might want to consider adding the postfix-sasl jail as well, if you get a lot of failed sasl authentication attempts.
Re: Fail2Ban config in EFA v4
Posted: 15 Feb 2021 12:34
by jamerson
pdwalker wrote: 09 Feb 2021 05:58
You might want to consider adding the postfix-sasl jail as well, if you get a lot of failed sasl authentication attempts.
this is a good idea, maybe add it out of the box.
Re: Fail2Ban config in EFA v4
Posted: 25 Feb 2022 20:26
by tesme33
Hi
i got annoyed because of all the login attempts
Code: Select all
Feb 25 21:14:12 efa4 postfix/smtpd[2436]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:12 efa4 postfix/smtpd[3328]: disconnect from unknown[87.246.7.229] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:14 efa4 postfix/smtpd[10446]: connect from unknown[5.34.207.79]
Feb 25 21:14:15 efa4 postfix/smtpd[11953]: connect from unknown[5.34.207.192]
Feb 25 21:14:15 efa4 postfix/smtpd[9753]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:16 efa4 postfix/smtpd[9753]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:18 efa4 postfix/smtpd[3328]: connect from unknown[5.34.207.79]
Feb 25 21:14:19 efa4 postfix/smtpd[10446]: warning: unknown[5.34.207.79]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:19 efa4 postfix/smtpd[11953]: warning: unknown[5.34.207.192]: SASL LOGIN authentication failed: authentication failure
Feb 25 21:14:20 efa4 postfix/smtpd[10446]: disconnect from unknown[5.34.207.79] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 21:14:20 efa4 postfix/smtpd[11953]: disconnect from unknown[5.34.207.192] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
so i configured fail2ban to also capture SASL.
Ich was following the description here:
https://bobcares.com/blog/fail2ban-postfix-sasl/ (just the name of the logfile needed to be maillog instead of mail.log)
afterwards a
Code: Select all
systemctl restart fail2ban.service
made the day .
And immediatly it catched the first IPs.
Code: Select all
[root@efa4 log]# fail2ban-client status sasl
Status for the jail: sasl
|- Filter
| |- Currently failed: 3
| |- Total failed: 257
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 5.34.207.192 87.246.7.229 5.34.207.79
Just in case anybody is interested
Re: Fail2Ban config in EFA v4
Posted: 19 Aug 2022 06:29
by pdwalker
Here's a good and current working configuration for EFA v4 postfix-sasl by ajmind
viewtopic.php?p=19136#p19136
Helpful!