Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
fail2ban_add_custom_rule [06.12.2020 08:39] – created Pascal Suter | fail2ban_add_custom_rule [06.12.2020 09:05] (current) – Pascal Suter | ||
---|---|---|---|
Line 4: | Line 4: | ||
usually your favorite distribution comes packed with filters and all you may have to do is enable them.. however, sometimes you might want to write your own rule, be it for your own application or for some case which is simply not covered by the default rules.. | usually your favorite distribution comes packed with filters and all you may have to do is enable them.. however, sometimes you might want to write your own rule, be it for your own application or for some case which is simply not covered by the default rules.. | ||
- | here is an example of how I added a new rule for postfix which filters out some bots who try to brute-force smtpd accounts. most of those are covered by the default filter in ubuntu, however, i had a case of a bot which tried to authenticate on a smtpd which only allowed TLS but it did not use TLS.. so the bot will honestly never suceed with this method of course, but it still was flooding my logs, so i decided to do something against that.. | + | here is an example of how I added a new rule for postfix |
+ | |||
+ | **NOTE** Please keep in mind, that path names and best practices on where to save your configs vary slightly from distribution to distribution.. debian and therefore ubuntu style is to not edit distribution provided config files and instead use the '' | ||
first let's look a the log entries which identify that sucker: | first let's look a the log entries which identify that sucker: | ||
Line 33: | Line 35: | ||
s so you can see, the regex matched 9005 lines, that seems about right.. | s so you can see, the regex matched 9005 lines, that seems about right.. | ||
+ | next up is our **jail** for the filter we just created. we create a new file called '/ | ||
+ | <code fal2ban / | ||
+ | enabled | ||
+ | port = smtp, | ||
+ | logpath | ||
+ | </ | ||
+ | I got the '' | ||
+ | there are many more options you could set, like '' | ||
+ | |||
+ | so now lets reload our config to enable our shiny new rule: | ||
+ | fail2ban-client reload | ||
+ | if whoever you want to block is still active, you should see him blocked in a short time.. check your logs like | ||
+ | < | ||
+ | # grep Ban / | ||
+ | 2020-12-06 07: | ||
+ | </ | ||
+ | and yell "haha, gotcha" | ||
+ | |||
+ | or you can also see your success via the '' | ||
+ | < | ||
+ | # fail2ban-client status postfix-ehlo | ||
+ | Status for the jail: postfix-ehlo | ||
+ | |- Filter | ||
+ | | |- Currently failed: 0 | ||
+ | | |- Total failed: 8 | ||
+ | | `- File list: | ||
+ | `- Actions | ||
+ | |- Currently banned: 0 | ||
+ | |- Total banned: 1 | ||
+ | `- Banned IP list: | ||
+ | </ | ||
+ | |||
+ | there you go :) | ||
+ | |||
+ | by the way, to activate any of the already existing jails, you need to set the '' | ||
+ | < | ||
+ | [sshd] | ||
+ | enabled = true | ||
+ | |||
+ | [postfix] | ||
+ | enabled = true | ||
+ | |||
+ | [dovecot] | ||
+ | enabled = true | ||
+ | </ | ||
+ | the names of the pre-configured jails can be found in ''/ | ||
+ | |||
+ | after enabling your filters, reload and check with the '' | ||
+ | < | ||
+ | # fail2ban-client reload | ||
+ | OK | ||
+ | # fail2ban-client status | ||
+ | Status | ||
+ | |- Number of jail: 4 | ||
+ | `- Jail list: | ||
+ | </ |