[TUTORIAL] Install Fail2ban

[killmasta93]

Recently was looking though the logs and found alot of this

Dec 24 13:58:07 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:07 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:58941 to [192.168.3.141]:25
Dec 24 13:58:07 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:58941
Dec 24 13:58:07 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:07 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:08 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:08 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:09 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59015 to [192.168.3.141]:25
Dec 24 13:58:09 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59015
Dec 24 13:58:09 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:09 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:09 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:09 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:10 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59108 to [192.168.3.141]:25
Dec 24 13:58:10 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59108
Dec 24 13:58:10 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:10 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:11 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:11 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:11 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59182 to [192.168.3.141]:25
Dec 24 13:58:11 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59182
Dec 24 13:58:11 pmg postfix/smtpd[13854]: warning: hostname 28.240.82.110.broad.np.fj.dynamic.163data.com.cn does not resolve to address 110.82.240.28: Name or service not known
Dec 24 13:58:11 pmg postfix/smtpd[13854]: connect from unknown[110.82.240.28]
Dec 24 13:58:12 pmg postfix/smtpd[13854]: lost connection after AUTH from unknown[110.82.240.28]
Dec 24 13:58:12 pmg postfix/smtpd[13854]: disconnect from unknown[110.82.240.28] ehlo=1 auth=0/1 commands=1/2
Dec 24 13:58:12 pmg postfix/postscreen[13536]: CONNECT from [110.82.240.28]:59275 to [192.168.3.141]:25
Dec 24 13:58:12 pmg postfix/postscreen[13536]: PASS OLD [110.82.240.28]:59275

so if anyone else has the same issue what helped was fail2ban and these are the steps, feel free to add if i missed something

1) install fail2ban

apt-get install fail2ban

2) then copy the configs

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3) then create rule

nano /etc/fail2ban/filter.d/postfix-auth.conf

and add this

# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =

4) then edit the config

 nano /etc/fail2ban/jail.local

5) add this line at the bottom (port the ports i have 2 email servers which use another ports which is why the 28 and 27)

[postfix-auth]
enabled  = true
port     = smtp,ssmtp,28,27
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /var/log/mail.info
maxretry = 2
bantime = 36000
findtime = 300

then restart fail2ban and to check run
iptables -L -n
and as you see it blocked that user was spamming

Chain f2b-SMTP-auth (1 references)
target     prot opt source               destination
REJECT     all  --  110.82.240.28        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

 

[killmasta93]

I was recently looking at the logs saw alots of pregreets and hangups so to block these do the following

cd /etc/fail2ban/filter.d/

then

wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/postfix-pregreet.iredmail.conf

then were going to add this line below the postfix section

nano /etc/fail2ban/jail.local

[postfix-pregreet-iredmail]
enabled     = true
filter      = postfix-pregreet.iredmail
logpath     = /var/log/syslog
maxretry    = 1
action      = iptables-multiport[name=postfix, port="25", protocol=tcp]

and restart fail2ban

should see this

Chain f2b-postfix (1 references)
target     prot opt source               destination         
REJECT     all  --  192.99.7.175         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  37.49.227.49         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Hope this helps someone

 

[KatyComputer]

You said: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

If we don't follow this step are the directives in jail.conf ignored?

 

[killmasta93]

o wait normally its to copy the conf to local but for me it has worked this way so im guessing its a must or if some could correct me if im wrong.

 

[Tapio Lehtonen]

I have only experience on Debian, but there jail.conf is read first, jail.local last. Found this on man page:

In .local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding .conf file which is parsed first.

So the Debian way is to create jail.local, copy there only the jails I want to modify. Enable the jails (seems everything is disabled in jail.conf, sshd gets enabled in jail.d/defaults-debian.conf). Then upgrades etc. do not mess modifications, they are safely in jail.local and maintainer can write a new jail.conf.