Best

fail2ban postfix centos 7

# yum -y install fail2ban* iptables-services python-inotify

systemctl stop firewalld.service

systemctl mask firewalld.service

systemctl disable firewalld.service

systemctl stop firewalld.service

# vi /etc/fail2ban/jail.local               # Add this line

 [DEFAULT]

 ignoreip  = 127.0.0.1 192.168.1.0/24 82.192.71.9 95.211.46.207     # [Whitelist IP] ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24

 bantime   = 3600                     # "bantime" is the number of seconds that a host is banned.

 findtime = 600                       # A host is banned if it has generated "maxretry" during the last "findtime"

 banaction = iptables-multiport

 backend = systemd                       # # Because CentOS 7 systemd

 maxretry = 3

 destemail = accesstel@worldcm.net     # set mail receiver

 sender = fail2ban@worldcm.net         # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,

 mta = postfix

 action    = %(action_mwl)s

 use_dns = no

 

 

[sshd]

enabled = true

action = iptables[name=sshd, port=ssh, protocol=tcp]

[pure-ftpd]

enabled = true

action = iptables[name=FTP, port=ftp, protocol=tcp]

maxretry = 5

[dovecot]

enabled = true

action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]

maxretry = 5

[postfix-sasl]

enabled = true

action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]

maxretry = 5

[postfix-auth]

enabled = true

filter = postfix.auth

action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]

logpath = /var/log/mail.log

                       -----------------------------

2/ create new file

#  vi /etc/fail2ban/filter.d/postfix.auth.conf

                 -------------------------------

[Definition]

failregex = lost connection after AUTH from (.*)\[<HOST>\]

ignoreregex =

                 -------------------------

 systemctl start fail2ban.service

 systemctl enable fail2ban.service

 systemctl restart fail2ban

     

If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command. Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.

# fail2ban-client set JAIL addignoreip 123.45.67.89

# fail2ban-client set JAIL banip 100.100.1.2

# fail2ban-client set JAIL unbanip 100.100.1.2

# tail -n 10 /var/log/fail2ban.log

2018-03-28 13:21:15,747 fail2ban.jail           [19927]: INFO    Jail 'sshd' started 2018-03-28 13:21:15,748 fail2ban.jail           [19927]: INFO    Jail 'pure-ftpd' started 2018-03-28 13:21:15,750 fail2ban.jail           [19927]: INFO    Jail 'dovecot' started 2018-03-28 13:21:15,753 fail2ban.filter         [19927]: INFO    [dovecot] Found 91.234.99.217 2018-03-28 13:21:15,757 fail2ban.filter         [19927]: INFO    [postfix-sasl] Found 91.234.99.217 2018-03-28 13:21:15,757 fail2ban.jail           [19927]: INFO    Jail 'postfix-sasl' started 2018-03-28 13:21:15,785 fail2ban.filter         [19927]: INFO    [dovecot] Found 91.234.99.217 2018-03-28 13:21:15,790 fail2ban.filter         [19927]: INFO    [postfix-sasl] Found 91.234.99.217 2018-03-28 13:23:42,689 fail2ban.filter         [19927]: INFO    [dovecot] Found 91.234.99.217 2018-03-28 13:23:47,149 fail2ban.filter         [19927]: INFO    [postfix-sasl] Found 91.234.99.217

fail2ban-client status

Status |- Number of jail: 4 `- Jail list: dovecot, postfix-sasl, pure-ftpd, sshd

fail2ban-client set sshd unbanip 100.100.1.2        ["sshd", to manually unban the IP address with the command ]

#  fail2ban-client status postfix-sasl

                                            -------------------------XXXXXXXXXXXXXXXXXXX-----------------------------

 Centos - 6

[root@mail ~]#   vim /etc/fail2ban/jail.local 

[DEFAULT]

ignoreip = 127.0.0.1/8 192.168.1.0/24       # "ignoreip" can be an IP address, a CIDR mask or a DNS host

# set a higher bantime and findtime

bantime=3600

findtime=1800

maxretry = 3               # set max number of attempts

destemail = accesstel@worldcm.net     # set mail receiver

sender = fail2ban@worldcm.net          # enable sending mails, whois and logfile sections by choosing the "action_mwl" template,

action = %(action_mwl)s

use_dns = no

# see jail.conf for details

[sshd]

enabled = true

action = iptables[name=sshd, port=ssh, protocol=tcp]

[pure-ftpd]

enabled = true

action = iptables[name=FTP, port=ftp, protocol=tcp]

maxretry = 5

[dovecot]

enabled = true

action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]

maxretry = 5

logpath  = /var/log/maillog

[postfix-sasl]

enabled = true

action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]

maxretry = 5

logpath  = /var/log/maillog

[postfix-auth]

enabled     = true

filter      = postfix.auth

action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]

logpath     = /var/log/mail.log

                                  ---------------------------------------------------------------------

1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth]

enabled     = true

filter      = postfix.auth

action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]

#           sendmail[name=Postfix, dest=you@mail.com]

logpath     = /var/log/mail.log

2/ create new file

# vi /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]

failregex = lost connection after AUTH from (.*)\[<HOST>\]

ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.

chkconfig fail2ban on

service fail2ban resstart 

---------