Monday, June 13, 2016

fail2ban not working on EL6/Centos 6

I've noticed that fail2ban do not ban every host/IP which it should after a while.

First I checked if my regexps are correct:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched

Fortunately I've seen a lot of hits but most of them were not banned.
It appears that fail2ban is having issues monitoring log files.
Quick fix is to change the file monitoring backend from auto to polling.
Python inotify(pyinotify) or gamin may not work properly - you can read more about it here: https://github.com/fail2ban/fail2ban/issues/44

Edit your jail.local file, at the top add the following:
[DEFAULT]
backend = polling

Restart fail2ban and check its log file to see if it bans every IP it should.

Saturday, June 11, 2016

using fail2ban to protect postfix/smtpd service

Recently I have found a lot of "lost connection after" entries in /var/log/maillog file:
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT 
lost connection after RCPT
lost connection after STARTTLS  
lost connection after UNKNOWN

It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.

First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf


[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =


Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
[postfix-auth]
enabled  = true
port     = smtp,ssmtp
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300


Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL

/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.

Wednesday, June 8, 2016

How to disable new version notification popup in Sublime Text 3?

If you don't want to see "Update Available" / "A new version of Sublime Text is available" / "An update has been found" and similar annoying notifications try this:

There is an option you could use if you have bought the license - put "update_check": false in Settings - User config file.

This doesn't work for unlicensed copies.
You can still check where Sublime Text 3 is connecting to check the update and block that host on firewall.
In my case blocking 209.20.75.76 worked.

How to block a host in firewalld (Fedora 23)?

 
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 209.20.75.76 -j DROP 

Check /etc/firewalld/direct.xml to see what custom rules have been configured.