Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



The DNS Guys

25 Nameservers Worldwide

Host Monitoring & Auto Rollback

Smart Relay, SASL

OpenID Servers & XMPP

TSIG & Secondary DNS

Amazon Route53 GUI
 
Closed TopicStart new topic
> Postfix Fail2Ban install, Stop those pesky spy bots from filling up log file
Robert83
post Mar 20 2009, 06:27 PM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hello,

This is going to show you how to install Fail2Ban which is a nice little piece of software (or let's admit it, it's really awesome) that can create iptables rules and remove them automaticaly based on your
log files, it can be used with postfix (as in this guide) or with vsftpd , ssh etc... it's config file /etc/fail2ban/jail.conf is quiet detailed about this.

So back to the main thing, you've setup your mail server and it's working fine, only authenticated users are able to send mail, your are not open relay, but still your maillog is full with NOQUEUE junk from
spam bots, the ip's are random, and you come to realize that your maillog is becoming more and more useless, it's hard to find usefull stuff amongs all the junk. Well you need to install Fail2Ban.

Let's being :

You'll need to have DAG's repo on your centos 4.x or 5.x install (I havent tried other distros , but except the installation part , the config is the same) , if you are using any other distro you can find the
package here for quiet a lot of supported distros http://www.fail2ban.org/wiki/index.php/Downloads

Add the following two repost into your yum repos list , /etc/yum.repos.d/CentOS-Base.repo.

CODE
[dag]
name=Dag RPM Repostory for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

[kbs-CentOS-Misc]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
gpgcheck=1
enabled=1
baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/


Then run the following command to intall Fail2Ban

CODE
yum install fail2ban


And now edit the config file /etc/fail2ban/jail.conf, add these lines to enable postfix filtering :

CODE
bantime  = 86400


[postfix]

  enabled = true
  filter  = postfix
  action  = iptables[name=SMTP, port=smtp, protocol=tcp]
            sendmail[name=Postfix, dest=myname@mydomain.com]
  logpath = /var/log/maillog
  maxretry= 3


now you start the daemon using the following comands

CODE
chkconfig fail2ban on
/etc/init.d/fail2ban start


bantime - is the time the ip is banned for, I have 6 domains here, and my avarage NOQUEUE messages / min were 400 , now it's 30 / min . I've set this to a large value because these ip's are all spam bots
you need to find the time suited for you, I'd say go for 3600 that is 1 hour , that is not to much.

To see it in action check
/var/log/fail2ban.log

there you will see info about blocked ip addresses, also by runing
CODE
iptables -L

you will see fail2ban adding new rules to iptables.

By all mean this is a highly recommended addon to your defenses even if you are not using postfix.

Sincerely
Robert Becskei


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 22nd September 2014 - 03:09 AM