665
edits
Changes
From SME Server
Jump to navigationJump to search
mLine 77:
Line 77: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→DB command
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will be notified by mail
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)
After changing one of these settings, you need to apply it:
signal-event fail2ban-conf
===Services===
The following services are monitored, and fail2ban will ban client IP for '''BanTime''' if more than '''MaxRetry''' authentication failure occure in less than '''FindTime'''
*ssh
*dovecot (only on SME9, or if you run [http://smeserver-dovecot https://wikit.firewall-services.com/doku.php/smedev/dovecot])
*qpsmtpd. If a remote server send you too many mails which qpsmtpd rejects, it's probably spammer, so Fail2ban will blacklist it. MaxRetry is x3 for this service, so with the default config, a remote server will be blacklisted if 9 mails are rejected in less than 15 minutes
*httpd-e-smith. The standard http server. 3 different filters check apache logs:
* noscripts: check client which ask for scripts which are not available on your server. It's usually script-kiddies trying to exploit security vulerabilities
* scan: another set of filter for popular scans (phpMyAdmin, wp-login, admin area etc...)
* auth: will check for standard authentication failure
*pam. This will check a generic authentication failure. Everything which uses pam should work
*[[SOGo]]. Check SOGo logs for failed authentications
*[[LemonLDAP::NG|LemonLDAP-NG]]. Check system logs for auth failure on LemonLDAP::NG portal
*ftp. Check auth failure on your FTP daemon
*[[Ejabberd]]. Check auth failure against EJabberd
Each filters will disable itself if the corresponding service is disabled. You can also disable specific filter if you want. For example, if you want to disable Apache filters:
db configuration setprop httpd-e-smith Fail2Ban disabled
signal-event fail2ban-conf
===Selective bans===
Fail2Ban will do its best to do a selective ban. For example, if 3 auth failure against ssh are detected, only tcp port 22 (or any other port you choosed for SSH) will be blocked. Same for httpd-e-smith, SOGO, LemonLDAP::NG which will only blacklist tcp ports 80 and 443, qpsmtpd will block tcp ports 25 and 465, dovecot will block 143 and 993 etc...
There's only two ways to be completly locked (all port/protocol):
* pam. As this is a generic file, it's not possible to check which service was used when an auth failure occured, so the entire client IP will be blacklisted
* recidive. This is a special filter. It monitors fail2Ban logs, and blacklist client IP which gets locked several time. If a client is locked out 5 times in 24 hours, it'll be completly blacklisted for one full week
===Use Fail2ban===
===Use Fail2ban===
