Printable Version of Topic

Click here to view this topic in its original format

Linuxhelp _ Guides Forum _ Postfix Fail2Ban install

Posted by: Robert83 Mar 20 2009, 06:27 PM

Hello,

This is going to show you how to install Fail2Ban which is a nice little piece of software (or let's admit it, it's really awesome) that can create iptables rules and remove them automaticaly based on your
log files, it can be used with postfix (as in this guide) or with vsftpd , ssh etc... it's config file /etc/fail2ban/jail.conf is quiet detailed about this.

So back to the main thing, you've setup your mail server and it's working fine, only authenticated users are able to send mail, your are not open relay, but still your maillog is full with NOQUEUE junk from
spam bots, the ip's are random, and you come to realize that your maillog is becoming more and more useless, it's hard to find usefull stuff amongs all the junk. Well you need to install Fail2Ban.

Let's being :

You'll need to have DAG's repo on your centos 4.x or 5.x install (I havent tried other distros , but except the installation part , the config is the same) , if you are using any other distro you can find the
package here for quiet a lot of supported distros http://www.fail2ban.org/wiki/index.php/Downloads

Add the following two repost into your yum repos list , /etc/yum.repos.d/CentOS-Base.repo.

CODE
[dag]
name=Dag RPM Repostory for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

[kbs-CentOS-Misc]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
gpgcheck=1
enabled=1
baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/


Then run the following command to intall Fail2Ban

CODE
yum install fail2ban


And now edit the config file /etc/fail2ban/jail.conf, add these lines to enable postfix filtering :

CODE
bantime  = 86400


[postfix]

  enabled = true
  filter  = postfix
  action  = iptables[name=SMTP, port=smtp, protocol=tcp]
            sendmail[name=Postfix, dest=myname@mydomain.com]
  logpath = /var/log/maillog
  maxretry= 3


now you start the daemon using the following comands

CODE
chkconfig fail2ban on
/etc/init.d/fail2ban start


bantime - is the time the ip is banned for, I have 6 domains here, and my avarage NOQUEUE messages / min were 400 , now it's 30 / min . I've set this to a large value because these ip's are all spam bots
you need to find the time suited for you, I'd say go for 3600 that is 1 hour , that is not to much.

To see it in action check
/var/log/fail2ban.log

there you will see info about blocked ip addresses, also by runing
CODE
iptables -L

you will see fail2ban adding new rules to iptables.

By all mean this is a highly recommended addon to your defenses even if you are not using postfix.

Sincerely
Robert Becskei

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)