| View previous topic :: View next topic |
| Author |
Message |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
 Posted: Sat Aug 11, 2007 3:22 pm Post subject: Trouble with fail2ban [SOLVED] |
 |
|
Hello All
I'm in the middle of a potential backscatter attack or brute force spam attack. Currently, I have one domain that is getting hit by many IPs trying to deliver mail to non-existing accounts. I thought I'd try something new this weekend and use fail2ban to manage this. I was thinking that I could search the log for 'User unknown in virtual mailbox table' for this domain only if the 'from' contains the domain and DROP them.
Anyway, something is goofed, because it's not matching the rule and the block is not being applied. Hopefully, someone will be able to see what's wrong.
fail2ban and iptables versions:
| Code: | [ebuild R ] net-analyzer/fail2ban-0.8.0-r1 0 kB
[ebuild R ] net-firewall/iptables-1.3.5-r4 USE="-extensions -imq -ipv6 -l7filter -static" 188 kB |
I created the following in jail.conf:
| Code: | [comp-mail]
enabled = true
filter = comp-mail
action = iptables[name=comp-mail, port=smtp, protocol=tcp]
mail-whois[name=comp-mail, dest=abuse@comp.com]
logpath = /var/log/mail.log
ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
maxretry = 5 |
Here is my filter (filter.d/comp-mail.conf):
| Code: | [Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = : reject: RCPT from [-._\w]+\[<HOST>\]: 550 5.1.1 .*comp.com.*: Recipient address rejected: User unknown in virtual mailbox table; from=.* to=.*comp.com
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = |
Fail2ban starts up fine, and I receive emails stating that comp-mail has started.
Here is iptables ouput:
| Code: | iptables -n -L | grep fail2ban
fail2ban-comp-mail tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
Chain fail2ban-comp-mail (1 references) |
Here is an example log that I need to be blocked in /var/log/mail.log
| Code: | | myserver.com postfix/smtpd[23695]: NOQUEUE: reject: RCPT from www10.cruzio.com[63.249.95.27]: 550 5.1.1 <Lalancette@comp.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Lalancette@comp.com> proto=ESMTP helo=<www10.cruzio.com> |
or
| Code: | | myserver.com postfix/smtpd[23695]: NOQUEUE: reject: RCPT from unknown[209.149.110.21]: 550 5.1.1 <pipo_Fiordelisi@comp.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<pipo_Fiordelisi@comp.com> proto=ESMTP helo=<navgateway> |
I validated my regex, and I'm confused why this is not being caught. I know it has to be something simple.
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Last edited by hanj on Sat Aug 11, 2007 4:06 pm; edited 1 time in total |
|
| Back to top |
|
 |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sat Aug 11, 2007 4:06 pm Post subject: |
|
|
I think I have it.. it was the max retry value. It was counting it, and never exceeded that value. I think the regex is good.
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
