Beef up mail-in-a-box Fail2Ban jails and filters

In the past few posts of my blog/journal I detailed blocklist, nginx, and such. However I now have 12 jails in my MiaB server:

Munin, roundcube, owncloud, postfix, ssh-ddos, miab-management, sasl, ssh, dovecot, nginx-badbots, nginx-http-auth, and recidive.

Some of these jails had to be added manually to jails.local, I like to send my reports to two of my emails (work and personal) plus blocklist.de. So the sendmail-whois-lines is not required, and may be removed if wanted to do so.

[miab-munin]
enabled = true
port = http,https
filter = miab-munin
action = sendmail-whois-lines[name=miab-munin, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/nginx/access.log
maxretry = 20
findtime = 30

[miab-owncloud]
enabled = true
port = http,https
filter = miab-owncloud
action = sendmail-whois-lines[name=miab-owncloud, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /home/user-data/owncloud/owncloud.log
maxretry = 20
findtime = 30

[miab-postfix587]
enabled = true
port = 587
filter = miab-postfix-submission
action = sendmail-whois-lines[name=miab-postfix-submission, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/mail.log
maxretry = 20
findtime = 30

[miab-roundcube]
enabled = true
port = http,https
filter = miab-roundcube
action = sendmail-whois-lines[name=miab-roundcube, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/roundcubemail/errors
maxretry = 20
findtime = 30

In your filter.d folder create the following files with the content below

miab-munin.conf:

[INCLUDES]

before = common.conf

[Definition]
failregex=<HOST> – .*GET /admin/munin/.* HTTP/1.1\” 401.*
ignoreregex =

miab-owncloud:

[INCLUDES]

before = common.conf

[Definition]
failregex=Login failed: .*Remote IP: ‘<HOST>[\)’]
ignoreregex =

miab-postfix-submission.conf

[INCLUDES]

before = common.conf

[Definition]
failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
ignoreregex =

miab-roundcube.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*

ignoreregex =

Ideas pulled from Github with my additional touches for nginx prior

Author: Alon Ganon

I serve as a technology research associate for DTG3D. I am a technology specialist, very focused on understanding the details and applications of new technology trends. With a background in Windows, Mac OS X, GNU/Linux, and FreeBSD operating systems, I provide practical approaches to the integration of new technology into an IT and general business environment. I am currently is involved in the analysis of augmented and virtual reality systems. I also spend my free time advocating for freedom in software, and in all facets of our life. I have been working on computers since I was 4 years old under my father's company DTG3D. I built my first computer at 7 years old, and I am primarily self taught and self trained in regards to the majority of his IT skills due to decades of being surrounded by technology everyday. My philosophy is, "You are not dead, until you stop learning."

Leave a Reply

Your email address will not be published. Required fields are marked *