Best
fail2ban postfix centos 7
# yum -y install fail2ban* iptables-services python-inotify
systemctl stop firewalld.service
systemctl mask firewalld.service
systemctl disable firewalld.service
systemctl stop firewalld.service
# vi /etc/fail2ban/jail.local # Add this line
[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.0/24 82.192.71.9 95.211.46.207 # [Whitelist IP] ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24
bantime = 3600 # "bantime" is the number of seconds that a host is banned.
findtime = 600 # A host is banned if it has generated "maxretry" during the last "findtime"
banaction = iptables-multiport
backend = systemd # # Because CentOS 7 systemd
maxretry = 3
destemail = accesstel@worldcm.net # set mail receiver
sender = fail2ban@worldcm.net # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
mta = postfix
action = %(action_mwl)s
use_dns = no
[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]
[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 5
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 5
[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
-----------------------------
2/ create new file
# vi /etc/fail2ban/filter.d/postfix.auth.conf
-------------------------------
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
-------------------------
systemctl start fail2ban.service
systemctl enable fail2ban.service
systemctl restart fail2ban
If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command. Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.
# fail2ban-client set JAIL addignoreip 123.45.67.89
# fail2ban-client set JAIL banip 100.100.1.2
# fail2ban-client set JAIL unbanip 100.100.1.2
# tail -n 10 /var/log/fail2ban.log
2018-03-28 13:21:15,747 fail2ban.jail [19927]: INFO Jail 'sshd' started 2018-03-28 13:21:15,748 fail2ban.jail [19927]: INFO Jail 'pure-ftpd' started 2018-03-28 13:21:15,750 fail2ban.jail [19927]: INFO Jail 'dovecot' started 2018-03-28 13:21:15,753 fail2ban.filter [19927]: INFO [dovecot] Found 91.234.99.217 2018-03-28 13:21:15,757 fail2ban.filter [19927]: INFO [postfix-sasl] Found 91.234.99.217 2018-03-28 13:21:15,757 fail2ban.jail [19927]: INFO Jail 'postfix-sasl' started 2018-03-28 13:21:15,785 fail2ban.filter [19927]: INFO [dovecot] Found 91.234.99.217 2018-03-28 13:21:15,790 fail2ban.filter [19927]: INFO [postfix-sasl] Found 91.234.99.217 2018-03-28 13:23:42,689 fail2ban.filter [19927]: INFO [dovecot] Found 91.234.99.217 2018-03-28 13:23:47,149 fail2ban.filter [19927]: INFO [postfix-sasl] Found 91.234.99.217
# fail2ban-client status
Status |- Number of jail: 4 `- Jail list: dovecot, postfix-sasl, pure-ftpd, sshd
# fail2ban-client set sshd unbanip 100.100.1.2 ["sshd", to manually unban the IP address with the command ]
# fail2ban-client status postfix-sasl
-------------------------XXXXXXXXXXXXXXXXXXX-----------------------------
Centos - 6
[root@mail ~]# vim /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
# set a higher bantime and findtime
bantime=3600
findtime=1800
maxretry = 3 # set max number of attempts
destemail = accesstel@worldcm.net # set mail receiver
sender = fail2ban@worldcm.net # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
action = %(action_mwl)s
use_dns = no
# see jail.conf for details
[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]
[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 5
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
logpath = /var/log/maillog
[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 5
logpath = /var/log/maillog
[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
---------------------------------------------------------------------
1/ add following section to the end of your /etc/fail2ban/jail.local
[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
# sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/mail.log
2/ create new file
# vi /etc/fail2ban/filter.d/postfix.auth.conf
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
3/ Restart fail2ban. Attacker will be blocked after five attempts.
chkconfig fail2ban on
service fail2ban resstart
---------