Artikel-Schlagworte: „Fail2ban“
Fail2ban and qpopper
21. März 2008 | 
Autor: Most are using fail2ban to block ssh scans, but it can do a lot more for you. Due to it’s modular nature you can scan in almost every logfile for things you don’t like and block it.
If you look in /etc/fail2ban/filter.d/ you can see a lot of predefined filters for several mail or ftp servers. Mostly it tooks only one regular expression to block scans. Here for instance on qpopper pop3-servers:
/etc/fail2ban/filter.d/qpopper.conf
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<host>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = \(<HOST>\):\ -ERR\ \[AUTH\]
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/jail.conf
[qpopper]
enabled = true
port = pop3
filter = qpopper
logpath = /var/log/mail.log
This works for Debian Etch. For OpenSuSE look here.
Links for 2007-06-07
- Attacking Log analysis tools – Wie man Leute mit SSH-Bruteforce Blockern wie Fail2ban & Co richtig ärgern und was man dagegen tun kann – via Nion
- mal eben zwei Computer transportieren… – Eine Sun e10k für Zuhause
- It’s Still the Latency, Stupid…pt.2 – Was man gegen Latenz-Probleme tun kann
Veröffentlicht in Hardware, Netz, Sicherheit, Sun | 
Schlagworte: Bandwidth, Brute Force, Congestion, e10k, Fail2ban, Log injection, SSH | 
Kommentare geschlossen