diff --git a/conf/fail2ban/dovecotimap.conf b/conf/fail2ban/dovecotimap.conf new file mode 100644 index 00000000..64b8d944 --- /dev/null +++ b/conf/fail2ban/dovecotimap.conf @@ -0,0 +1,22 @@ +# Fail2Ban filter Dovecot authentication and pop3/imap server +# For Mail-in-a-Box + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (auth|dovecot(-auth)?|auth-worker) + +failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + +ignoreregex = + +# DEV Notes: +# * the first regex is essentially a copy of pam-generic.conf +# * Probably doesn't do dovecot sql/ldap backends properly +# +# Author: Martin Waschbuesch +# Daniel Black (rewrote with begin and end anchors) +# Mail-in-a-Box (swapped session=...) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local new file mode 100644 index 00000000..63c5ac5a --- /dev/null +++ b/conf/fail2ban/jail.local @@ -0,0 +1,34 @@ +# Fail2Ban configuration file. +# For Mail-in-a-Box +[DEFAULT] + +# bantime in seconds +bantime = 60 + +# This should ban dumb brute-force attacks, not oblivious users. +findtime = 30 +maxretry = 20 + +# +# JAILS +# + +[ssh] + +enabled = true +logpath = /var/log/auth.log +maxretry = 20 + +[ssh-ddos] + +enabled = true +maxretry = 20 + +[sasl] + +enabled = true + +[dovecot] + +enabled = true +filter = dovecotimap diff --git a/setup/system.sh b/setup/system.sh index a5519839..0b29e229 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -106,3 +106,11 @@ fi restart_service bind9 restart_service resolvconf + +# ### Fail2Ban Service + +# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh +cp conf/fail2ban/jail.local /etc/fail2ban/jail.local +cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf + +restart_service fail2ban