Beef up mail-in-a-box Fail2Ban jails and filters

In the past few posts of my blog/journal I detailed blocklist, nginx, and such. However I now have 12 jails in my MiaB server:

Munin, roundcube, owncloud, postfix, ssh-ddos, miab-management, sasl, ssh, dovecot, nginx-badbots, nginx-http-auth, and recidive.

Some of these jails had to be added manually to jails.local, I like to send my reports to two of my emails (work and personal) plus blocklist.de. So the sendmail-whois-lines is not required, and may be removed if wanted to do so.

[miab-munin]
enabled = true
port = http,https
filter = miab-munin
action = sendmail-whois-lines[name=miab-munin, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/nginx/access.log
maxretry = 20
findtime = 30

[miab-owncloud]
enabled = true
port = http,https
filter = miab-owncloud
action = sendmail-whois-lines[name=miab-owncloud, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /home/user-data/owncloud/owncloud.log
maxretry = 20
findtime = 30

[miab-postfix587]
enabled = true
port = 587
filter = miab-postfix-submission
action = sendmail-whois-lines[name=miab-postfix-submission, dest=”[email protected],[email protected],[email protected]”, [email protected]TLD, sendername=”Fail2Ban”]
logpath = /var/log/mail.log
maxretry = 20
findtime = 30

[miab-roundcube]
enabled = true
port = http,https
filter = miab-roundcube
action = sendmail-whois-lines[name=miab-roundcube, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/roundcubemail/errors
maxretry = 20
findtime = 30

In your filter.d folder create the following files with the content below

miab-munin.conf:

[INCLUDES]

before = common.conf

[Definition]
failregex=<HOST> – .*GET /admin/munin/.* HTTP/1.1\” 401.*
ignoreregex =

miab-owncloud:

[INCLUDES]

before = common.conf

[Definition]
failregex=Login failed: .*Remote IP: ‘<HOST>[\)’]
ignoreregex =

miab-postfix-submission.conf

[INCLUDES]

before = common.conf

[Definition]
failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
ignoreregex =

miab-roundcube.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*

ignoreregex =

Ideas pulled from Github with my additional touches for nginx prior

Author: Alon Ganon

CTO of Being Libertarian LLC. IT Consultant at AccuNet. Dental IT and Linux Specialist. Free, Libre, and Open Source Software advocate. Crypto-Anarchist. My philosophy is, "You are not dead, until you stop learning."

One thought on “Beef up mail-in-a-box Fail2Ban jails and filters”

Leave a Reply

Your email address will not be published. Required fields are marked *