configuration-templates
/fail2ban/filter.d/dovecot.conf |
@@ -0,0 +1,34 @@ |
# Fail2Ban filter Dovecot authentication and pop3/imap server |
# |
|
[INCLUDES] |
|
before = common.conf |
|
[Definition] |
|
_daemon = (auth|dovecot(-auth)?|auth-worker) |
|
failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ |
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ |
^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ |
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ |
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ |
|
ignoreregex = |
|
[Init] |
|
journalmatch = _SYSTEMD_UNIT=dovecot.service |
|
# DEV Notes: |
# * the first regex is essentially a copy of pam-generic.conf |
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) |
# * Removed the 'no auth attempts' log lines from the matches because produces |
# lots of false positives on misconfigured MTAs making regexp unusable |
# |
# Author: Martin Waschbuesch |
# Daniel Black (rewrote with begin and end anchors) |
# Martin O'Neal (added LDAP authentication failure regex) |
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) |
# Author: Wizardry and Steamworks |
/fail2ban/filter.d/postfix-rbl.conf |
@@ -0,0 +1,20 @@ |
# Fail2Ban filter for Postfix's RBL based Blocked hosts |
# |
# |
|
[INCLUDES] |
|
# Read common prefixes. If any customizations available -- read them from |
# common.local |
before = common.conf |
|
[Definition] |
|
_daemon = postfix(-\w+)?/smtpd |
|
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: .* Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ |
|
ignoreregex = |
|
# Author: Lee Clemens |
# Author: Wizardry and Steamworks |
/fail2ban/filter.d/postfix-sasl.conf |
@@ -0,0 +1,22 @@ |
# Fail2Ban filter for postfix authentication failures |
# |
|
[INCLUDES] |
|
before = common.conf |
|
[Definition] |
|
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] |
|
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]:(\d*?:)? SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ |
|
ignoreregex = authentication failed: Connection lost to authentication server$ |
|
[Init] |
|
journalmatch = _SYSTEMD_UNIT=postfix.service |
|
|
# Author: Yaroslav Halchenko |
# Author: Wizardry and Steamworks |
/fail2ban/filter.d/postfix.conf |
@@ -0,0 +1,31 @@ |
# Fail2Ban filter for selected Postfix SMTP rejections |
# |
# |
|
[INCLUDES] |
|
# Read common prefixes. If any customizations available -- read them from |
# common.local |
before = common.conf |
|
[Definition] |
|
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] |
|
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ |
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: .* Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=E?SMTP helo=<\S*>$ |
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: .* Helo command rejected: Host not found .*$ |
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: .* <\S+>: Helo command rejected: need fully-qualified hostname;.*$ |
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: .*$ |
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: .* <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=E?SMTP helo=<\S*>$ |
^%(__prefix_line)simproper command pipelining after \S+ from \[<HOST>\]:.*$ |
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: .* Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ |
|
ignoreregex = |
|
[Init] |
|
journalmatch = _SYSTEMD_UNIT=postfix.service |
|
# Author: Cyril Jaquier |
# Author: Wizardry and Steamworks |