Oct
1

How to setup fail2ban to block vpopmail attacks

Lawrence Sheed // 1 Oct 2009 // No Comments

As the Wiki for fail2ban is a little less than explanatory than it could be, here are my own notes on setting up fail2ban to block pop3 attacks.

Have been seeing sample dictionary attacks on some servers for a while now from random ip addresses – eg

Sep 28 13:01:03 www vpopmail[20410]: vchkpw-pop3: vpopmail user not found www@:24.153.205.71
Sep 28 13:01:03 www vpopmail[20411]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71
Sep 28 13:01:09 www vpopmail[20417]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71
Sep 28 13:01:11 www vpopmail[20420]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71
 

Annoying, but not realistically going to provide much of a security issue – most of the user names are the generic ones which aren’t actually in use on the servers.

As we already use fail2ban to perform basic service blocks against naughty script kiddie wannabee’s, why not have it block vpopmail attacks also.

Our mail error logs are located in /var/log/mail.log

As you saw above, the logs show the same common text for each failed login –

vchkpw-pop3: vpopmail user not found web@:24.153.205.71
 

A simple regex to identify that in the logs would look like this (as per the fail2ban wiki)

failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>$
 

First step is to create a filter for fail2ban.

Create /etc/fail2ban/filter.d/vpopmail.conf as below:

# Fail2Ban configuration file for vpopmail
#
# Author: Lawrence Sheed
#
# $Revision: 1.0 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
 

Second step is to add our filter to the fail2ban setup

Add this to the bottom of /etc/fail2ban/jail.conf

[vpopmail]
enabled = true
port    = pop3
filter  = vpopmail  
logpath = /var/log/mail.log
maxretry = 3
 

logpath should be amended to whatever your mail logs for vpopmail appear.
maxretry should be set to a value that you agree with.

Restart fail2ban with a: /etc/init.d/fail2ban restart
and check that it has added the filter.

tail /var/log/fail2ban.log

You should see a line like this:

2009-10-01 12:36:09,590 fail2ban.jail   : INFO   Jail ‘vpopmail’ started
 

If so, you’re all set!

October 1, 2009   //   Email, Technical Mumbo Jumbo   //   No Comments   //   Tags: , , , ,

Post comment

Archives

Categories

Most Popular Posts

Tags

Apache Apple Apple Mail arm7 biltong china china telecom Chinese Spyware Removal Howto coffee cool debian dns dvd firmware foscam Google hacking how to howto icp Image ipcam Kitto lg dv340 licence Mac mini3i nc745 nuvoton ophone outage Picture problem region free hack Resize Search Engine Optimization SEO shanghai spam taobao Thoughts Time Machine Tuning uclinux video

Recent Comments

  • Lawrence Sheed: Simple answer – yes.
  • tony: Laurence, Just saw your answer to the poster above, about “needing a car licence for a year before...
  • Garron: Looking good! I’ve started producing my own biltong in the UK, as I found it difficult to find a...
  • Sima: Hi Lawrence, I was wondering how you were able to grab that videoframe? You write that the camera app needs...
  • D.: WOW, great work! I have been waiting for someone who know hardware coding to look into this device for awhile...

PHOTOSTREAM

高华lozglassesgoober and gfempress of the realmbonnie bonnieneil 'don johnson'remnantsbonnieflower powerflowers in her hairyoyo and rachel #2yoyo and rachelyoyo vs life outside the DS #3yoyo vs life outside the DS #2yoyo vs life outside the DS #1vivianvivian and jane