A quick note about the postfix-sasl jail in Fail2Ban. It was failing to match some log entries from my postfix install. Its regex contains the following:
SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
I had to modify it to:
SASL (?:login|LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
due to my log sometimes containing the lower case ‘login’
A quick little note about turning off the internet at a certain time. If you can assign all your kids devices IP addresses in a certain range, then you can easily cut them off the network at a given time with an addition to the shorewall rules file
DROP dmz:192.168.12.151-192.168.12.199 net – – – – – – – – timestart=22:00×top=23:59&weekdays=Sun,Mon,Tue,Wed,Thu&localtz
DROP dmz:192.168.12.151-192.168.12.199 net – – – – – – – – timestart=00:30×top=02:00&weekdays=Fri,Sat&localtz
As you can see, a certain address range on my dmz gets dropped at 10pm on school nights and 1230am on weekends. Hope someone finds this usefull
With the help of squirrel logger I now have Fail2Ban banning IPs from attempted logins of my webmail interface. Configuring squirrel logger was a breeze. I simple send it to syslog, where it is picked up by my mail.info log. I created my own squirrelmail.conf for fail2ban which is below.
# Fail2Ban configuration file
#
[Definition]
# Option: failregex
failregex = 0: Failed webmail login: by.*\(.*\) at <HOST> on.*$
ignoreregex =
I noticed some unusual activity on my webserver recently, and tracked it down to brute force attempts on wordpress installs. I did a little searching and found wp-fail2ban. Without too much tweaking of rsyslog, I got the auth messages to my firewall, where I set about getting fail2ban to monitor for login attempts. I was using the supplied wordpress.conf file that came with the plugin, but it was failing to match the regex due to the 32 character limitation of the syslog tag. Essentially a tag that should be of the form
wordpress(www.example.com)[12345]
would sometimes be truncated to
wordpress(www.longdomainname.com
This would cause a failure of the regex. So if you have long domain names, you may need to modify the wordpress.conf. In my case, I just removed
^%(__prefix_line)
from the beginning of the regex
I have been using Fail2Ban with Shorewall to block brute force attempts against open ports. I noticed that during a recent attack, the attackers were being repeatedly banned, so I decided to turn on the Recidive Jail. Unfortunately, it doesn’t work with the shorewall action – in a nut shell, the short term jail that finally triggers the recidive jail releases the IP even though the recidive jail believes it is still banned. I got around the problem by adding a new action ‘shorewall-recid’ and creating a few short scripts. Essentially, if the recidive jail is triggered, the scripts make sure the ip is unbanned from all other jails before it is banned with the recidive one. If you are interested in the scripts, just let me know.