Fail2ban and qpopper

Joern — Fri, 21 Mar 2008 10:17:02 +0000

Most are using fail2ban to block ssh scans, but it can do a lot more for you. Due to it’s modular nature you can scan in almost every logfile for things you don’t like and block it.

If you look in /etc/fail2ban/filter.d/ you can see a lot of predefined filters for several mail or ftp servers. Mostly it tooks only one regular expression to block scans. Here for instance on qpopper pop3-servers:

/etc/fail2ban/filter.d/qpopper.conf

# Fail2Ban configuration file [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching. # Values: TEXT # failregex = \(\):\ -ERR\ \[AUTH\] # # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

/etc/fail2ban/jail.conf

[qpopper] enabled = true port = pop3 filter = qpopper logpath = /var/log/mail.log

This works for Debian Etch. For OpenSuSE look here.

Links for 2007-06-07

Joern — Thu, 07 Jun 2007 19:59:30 +0000

Attacking Log analysis tools – Wie man Leute mit SSH-Bruteforce Blockern wie Fail2ban & Co richtig ärgern und was man dagegen tun kann – via Nion
mal eben zwei Computer transportieren… – Eine Sun e10k für Zuhause
It’s Still the Latency, Stupid…pt.2 – Was man gegen Latenz-Probleme tun kann

EDV - Ende der Vernunft » Fail2ban

Fail2ban and qpopper

Links for 2007-06-07