Fail2ban für Postfix

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

/etc/fail2ban/filter.d/postfix-sasl.conf

[Definition]

_daemon = (?:postfix/smtpd|postfix/submission/smtpd)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
             ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:Login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
             ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:
             ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:Login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:
             ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
             ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
             ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:

# Author: Yaroslav Halchenko

Testen mit
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

/etc/fail2ban/jail.local:

[postfix-sasl]
enabled  = true
port     = smtp,ssmtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3

Jails anzeigen:

fail2ban-client status

IP wieder freigeben:

fail2ban-client set sshd unbanip [IP]

Mail anpassen:

mwl -> /sendmail-common.conf

in action.d/iptables-multiport.conf:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
<------>    /usr/local/bin/fail2ban-push.php <name> <protocol> <port> <ip>

Tabelle:

CREATE TABLE `sync_fail2ban` (

 `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,

 `hostname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,

 `created` datetime NOT NULL,

 `name` text COLLATE utf8_unicode_ci NOT NULL,

 `protocol` varchar(16) COLLATE utf8_unicode_ci NOT NULL,

 `port` varchar(32) COLLATE utf8_unicode_ci NOT NULL,

 `ip` varchar(64) COLLATE utf8_unicode_ci NOT NULL,

`reversedns` text COLLATE utf8_unicode_ci NOT NULL,

 PRIMARY KEY (`id`),

 KEY `hostname` (`hostname`,`ip`)

 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

PHP-Script:

#!/usr/bin/php

<?php

$name = $_SERVER["argv"][1];

$protocol = $_SERVER["argv"][2];

$port = $_SERVER["argv"][3];

if (!preg_match('/^\d{1,5}$/', $port))

$port = getservbyname($_SERVER["argv"][3], $protocol);

$ip = $_SERVER["argv"][4];

$date = date("Y-m-d H:i:s");

$hostname = gethostname();

// Verbindungsdaten einfügen | insert your database settings

$link = new mysqli("localhost", "fail2ban", "password", "fail2ban");

// Ab hier nix verändern | don’t change anything below

if ($link->connect_error) {

die("Verbindung fehlgeschlagen: " . $link->connect_error());

}

$query = "INSERT INTO sync_fail2ban (name, protocol, port, ip, created, hostname)

VALUES ('$name', '$protocol', '$port', '$ip', '$date','$hostname')";

if ($link->query($query) === TRUE ){

echo "Eintrag erfolgreich geschrieben";

} else {

echo "ERROR: " .$query . "<br>" . $link->error;

}

$link->close ();

?>