mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
enable fail2ban for ssh and dovecot
Merge branch 'master' of https://github.com/h8h/mailinabox see #353, #319
This commit is contained in:
commit
2412c92772
@ -4,6 +4,10 @@ CHANGELOG
|
|||||||
In Development...
|
In Development...
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
|
System:
|
||||||
|
|
||||||
|
* Brute-force SSH and IMAP login attempts are now prevented by properly configuring fail2ban.
|
||||||
|
|
||||||
Control panel:
|
Control panel:
|
||||||
|
|
||||||
* The new check that system services are running mistakenly checked that the Dovecot Managesieve service is publicly accessible. Although the service binds to the public network interface we don't open the port in ufw. On some machines it seems that ufw blocks the connection from the status checks (which seems correct) and on some machines (mine) it doesn't, which is why I didn't notice the problem.
|
* The new check that system services are running mistakenly checked that the Dovecot Managesieve service is publicly accessible. Although the service binds to the public network interface we don't open the port in ufw. On some machines it seems that ufw blocks the connection from the status checks (which seems correct) and on some machines (mine) it doesn't, which is why I didn't notice the problem.
|
||||||
|
22
conf/fail2ban/dovecotimap.conf
Normal file
22
conf/fail2ban/dovecotimap.conf
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# Fail2Ban filter Dovecot authentication and pop3/imap server
|
||||||
|
# For Mail-in-a-Box
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (auth|dovecot(-auth)?|auth-worker)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# * the first regex is essentially a copy of pam-generic.conf
|
||||||
|
# * Probably doesn't do dovecot sql/ldap backends properly
|
||||||
|
#
|
||||||
|
# Author: Martin Waschbuesch
|
||||||
|
# Daniel Black (rewrote with begin and end anchors)
|
||||||
|
# Mail-in-a-Box (swapped session=...)
|
34
conf/fail2ban/jail.local
Normal file
34
conf/fail2ban/jail.local
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# Fail2Ban configuration file.
|
||||||
|
# For Mail-in-a-Box
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# bantime in seconds
|
||||||
|
bantime = 60
|
||||||
|
|
||||||
|
# This should ban dumb brute-force attacks, not oblivious users.
|
||||||
|
findtime = 30
|
||||||
|
maxretry = 20
|
||||||
|
|
||||||
|
#
|
||||||
|
# JAILS
|
||||||
|
#
|
||||||
|
|
||||||
|
[ssh]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
logpath = /var/log/auth.log
|
||||||
|
maxretry = 20
|
||||||
|
|
||||||
|
[ssh-ddos]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
maxretry = 20
|
||||||
|
|
||||||
|
[sasl]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
[dovecot]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
filter = dovecotimap
|
@ -106,3 +106,11 @@ fi
|
|||||||
|
|
||||||
restart_service bind9
|
restart_service bind9
|
||||||
restart_service resolvconf
|
restart_service resolvconf
|
||||||
|
|
||||||
|
# ### Fail2Ban Service
|
||||||
|
|
||||||
|
# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh
|
||||||
|
cp conf/fail2ban/jail.local /etc/fail2ban/jail.local
|
||||||
|
cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
|
||||||
|
|
||||||
|
restart_service fail2ban
|
||||||
|
Loading…
Reference in New Issue
Block a user