How to Install fail2ban on CentOS in DirectAdmin
Login using root
[[email protected]:~ ] $ yum install fail2ban vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Add this to the file dovecot-pop3imap.conf
[Definition] failregex = dovecot: auth-worker\(default\): sql\(.*,\): unknown user dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[\] dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\] dovecot: auth\(default\): passdb\(.*,\)\: Attempted login with password having illegal chars dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\] dovecot: (pop3|imap)-login: Aborted login: .*, \[\] ignoreregex =
[adrotate banner=”1″]
[adrotate banner=”2″]
Then edit the file jail.conf to enable it.
vi /etc/fail2ban/jail.conf
Add this to the file
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
Try to start the service
[[email protected]:/etc/fail2ban/filter.d ] $ service fail2ban start Starting fail2ban: [ OK ]
Make sure service is start while boot up.
chkconfig fail2ban --level=235 on
Check is it working or not.
[[email protected]:/etc/fail2ban/filter.d ] $ service fail2ban status Fail2ban (pid 13009) is running... Status |- Number of jail: 2 `- Jail list: dovecot-pop3imap, ssh-iptables
You can see the attacks getting blocked in /var/log/messages depending on your value of logtarget in /etc/fail2ban/fail2ban.conf
There’s no file at /etc/fail2ban/filter.d/dovecot-pop3imap.conf.
-rw-r–r– 1 root root 711 Feb 9 2009 apache-auth.conf
-rw-r–r– 1 root root 2396 Mar 6 2008 apache-badbots.conf
-rw-r–r– 1 root root 628 Oct 13 2008 apache-nohome.conf
-rw-r–r– 1 root root 763 Feb 9 2009 apache-noscript.conf
-rw-r–r– 1 root root 444 Mar 6 2008 apache-overflows.conf
-rw-r–r– 1 root root 1039 Feb 9 2009 common.conf
-rw-r–r– 1 root root 616 Feb 9 2009 courierlogin.conf
-rw-r–r– 1 root root 591 Feb 9 2009 couriersmtp.conf
-rw-r–r– 1 root root 1012 Feb 9 2009 cyrus-imap.conf
-rw-r–r– 1 root root 540 Mar 23 21:49 dovecot-pop3imap.conf
-rw-r–r– 1 root root 613 Feb 9 2009 exim.conf
-rw-r–r– 1 root root 447 May 22 2008 gssftpd.conf
-rw-r–r– 1 root root 397 Aug 30 2009 lighttpd-fastcgi.conf
-rw-r–r– 1 root root 1013 Feb 10 2009 named-refused.conf
-rw-r–r– 1 root root 870 May 22 2008 pam-generic.conf
-rw-r–r– 1 root root 867 Aug 30 2009 php-url-fopen.conf
-rw-r–r– 1 root root 591 Feb 9 2009 postfix.conf
-rw-r–r– 1 root root 878 Feb 9 2009 proftpd.conf
-rw-r–r– 1 root root 801 Feb 9 2009 pure-ftpd.conf
-rw-r–r– 1 root root 606 Feb 9 2009 qmail.conf
-rw-r–r– 1 root root 679 Feb 9 2009 sasl.conf
-rw-r–r– 1 root root 581 Feb 4 2009 sieve.conf
-rw-r–r– 1 root root 1648 Feb 9 2009 sshd.conf
-rw-r–r– 1 root root 627 Feb 9 2009 sshd-ddos.conf
-rw-r–r– 1 root root 700 Feb 9 2009 vsftpd.conf
-rw-r–r– 1 root root 827 Feb 9 2009 webmin-auth.conf
-rw-r–r– 1 root root 437 May 22 2008 wuftpd.conf
-rw-r–r– 1 root root 848 Feb 9 2009 xinetd-fail.conf
Try to install the fail2ban again ?
dovecot-pop3imap.conf doesn’t exist from a standard installation. You have to touch the file then edit it; this is what the fail2ban wiki suggests you put in dovecot-pop3imap.conf:
After I manually created the file fail2ban started immediately (before then, service start would just fail immediately.)
Also Justin, your automatic code highlighter has a problem with the sample email address in your example configuration — it replaces the @example.com link with some horrible part-evaluated Javascript. You may want to fix that :-)
Thanks for the blog post, helped me get to grips with my first f2b install on a rather tricky DirectAdmin server.
Cheers
Chris
failregex = dovecot.*auth(default): pam(.*,): pam_authenticate() failed:
as of v 2+