Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up Fail2ban against brute force attempts

E.g. for a Postfix container providing its logs into /data/postfixprod/,

apt install fail2ban

cd /etc/fail2ban/filter.d/
ls -lhF postfix*
vi postfix-auth.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =

cd /etc/fail2ban/jail.d/
cat defaults-debian.conf
vi postfixprod.conf

[postfix-auth]
enabled  = true
port     = smtp,ssmtp
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /data/postfixprod/mail.log

tail -F /var/log/syslog &
service fail2ban restart

Refs.

Eventually change the defaults to strenghten it more and eventually avoid no-resolve delays,

cd /etc/fail2ban/
cp -pi jail.conf jail.conf.dist
vi jail.conf

[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =

#24 hours ban (default 10 minutes)
bantime  = **86400**

# search window 10 minutes (default)
findtime  = 600

# failed attempts (default 3)
maxretry = 5

backend = auto
usedns = **no**

You should now see the new Iptables chains that are going to be maintained automatically (-n to avoid no-resolve delays),

iptables -L -n
iptables -L f2b-SMTP-auth -n
watch iptables -L f2b-SMTP-auth -n

Home | GitHub | Donate | Contact