I've noticed that fail2ban do not ban every host/IP which it should after a while.
First I checked if my regexps are correct:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched
Fortunately I've seen a lot of hits but most of them were not banned.
It appears that fail2ban is having issues monitoring log files.
Quick fix is to change the file monitoring backend from auto to polling.
Python inotify(pyinotify) or gamin may not work properly - you can read more about it here: https://github.com/fail2ban/fail2ban/issues/44
Edit your jail.local file, at the top add the following:
[DEFAULT]
backend = polling
Restart fail2ban and check its log file to see if it bans every IP it should.
Monday, June 13, 2016
Saturday, June 11, 2016
using fail2ban to protect postfix/smtpd service
Recently I have found a lot of "lost connection after" entries in /var/log/maillog file:
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT
lost connection after RCPT
lost connection after STARTTLS
lost connection after UNKNOWN
It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.
First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =
Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
[postfix-auth]
enabled = true
port = smtp,ssmtp
filter = postfix-auth
action = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300
Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL
/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT
lost connection after RCPT
lost connection after STARTTLS
lost connection after UNKNOWN
It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.
First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =
Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
[postfix-auth]
enabled = true
port = smtp,ssmtp
filter = postfix-auth
action = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300
Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL
/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.
Wednesday, June 8, 2016
How to disable new version notification popup in Sublime Text 3?
If you don't want to see "Update Available" / "A new version of Sublime Text is available" / "An update has been found" and similar annoying notifications try this:
There is an option you could use if you have bought the license - put "update_check": false in Settings - User config file.
This doesn't work for unlicensed copies.
You can still check where Sublime Text 3 is connecting to check the update and block that host on firewall.
In my case blocking 209.20.75.76 worked.
How to block a host in firewalld (Fedora 23)?
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 209.20.75.76 -j DROP
Check /etc/firewalld/direct.xml to see what custom rules have been configured.
There is an option you could use if you have bought the license - put "update_check": false in Settings - User config file.
This doesn't work for unlicensed copies.
You can still check where Sublime Text 3 is connecting to check the update and block that host on firewall.
In my case blocking 209.20.75.76 worked.
How to block a host in firewalld (Fedora 23)?
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 209.20.75.76 -j DROP
Check /etc/firewalld/direct.xml to see what custom rules have been configured.
Subscribe to:
Posts (Atom)