Fail2ban filters


I have created a few filters for Fail2ban, which I did post to the Fail2ban users mailing list in the message Contribution of filters for DAViCal, Roundcube and Sendmail. But unfortunately the mailing list archive does not contain the attached files. So I publish them here.

If you see any error or typo on this page, or have some other addition, please send an e-mail.

I also created Fail2ban action with external script.

Table of Contents


DAViCal

This filter is for
DAViCal, a CalDAV / CardDAV server. Copy & paste from below and save it as /etc/fail2ban/filter.d/davical.conf or download the davical.conf file and save it in the /etc/fail2ban/filter.d/ directory. Read the inline comments in the file and create a corresponding jail in your /etc/fail2ban/jail.local file.

# Fail2Ban configuration file for DAViCal
#
# Author: Fabian Wenk <fabian@wenks.ch>
#
# $Revision$
#
# DAViCal does its logging into the Apache error.log of the corresponding
# virtualhost.

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = \[error\] \[client <HOST>\] davical: Login failure: WARN: Invalid username or password., referer: .*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

Roundcube

This filter is for
Roundcube, a web mail client. Copy & paste from below and save it as /etc/fail2ban/filter.d/roundcube.conf or download the roundcube.conf file and save it in the /etc/fail2ban/filter.d/ directory. Read the inline comments in the file and create a corresponding jail in your /etc/fail2ban/jail.local file.

# Fail2Ban configuration file for roundcube webmail
#
# Author: Fabian Wenk <fabian@wenks.ch>
#
# $Revision$
#
# To have logging information available, it is necessary to adjusting
# the following option in config/main.inc.php from Roundcube:
#
# $rcmail_config['debug_level'] = 1;	// not sure, probably not needed
# $rcmail_config['log_session'] = true;
#
# and point in the fail2ban jail config to the correct logfile,
# or change also the following config to log to syslog:
#
# $rcmail_config['log_driver'] = 'syslog';
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#	first line is for Cyrus IMAP (2.4.x)
#	second line is for Dovecot (2.1.x)
# Values: TEXT
#
failregex = roundcube: IMAP Error: Login failed for .* from <HOST>. AUTHENTICATE PLAIN: authentication failure in .*$
	    roundcube: IMAP Error: Login failed for .* from <HOST>. AUTHENTICATE PLAIN: Authentication failed. in .*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =  

Sendmail

This filters are for
Sendmail, a mail transfer agent (MTA). I have created 2 different filters, sendmail-auth.conf does check for failed logins through SMTP Authentication. And sendmail.conf does check for clients or other servers (mostly spam bots), which usually just generate a lot of "reject" log entries.
Important: Starting with fail2ban version 0.9.0, this two filters have been added to the base distribution as sendmail-auth and sendmail-reject, so you do not need them from here any more.

sendmail-auth.conf

Copy & paste from below and save it as /etc/fail2ban/filter.d/sendmail-auth.conf or download the
sendmail-auth.conf file and save it in the /etc/fail2ban/filter.d/ directory. Read the inline comments in the file and create a corresponding jail in your /etc/fail2ban/jail.local file.

# Fail2Ban configuration file for sendmail-auth
#
# Author: Fabian Wenk <fabian@wenks.ch>
#
# $Revision$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\]( \(may be forged\)|): possible SMTP attack: command=AUTH, count=\d+$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =  


sendmail.conf

Copy & paste from below and save it as /etc/fail2ban/filter.d/sendmail.conf or download the
sendmail.conf file and save it in the /etc/fail2ban/filter.d/ directory. Read the inline comments in the file and create a corresponding jail in your /etc/fail2ban/jail.local file.

# Fail2Ban configuration file for sendmail
#
# Author: Fabian Wenk <fabian@wenks.ch>
#
# $Revision$
#
# Some of the below failregex will only work properly, when the following
# options are set in the .mc file (see your Sendmail documentation on how
# to modify it and generate the corresponding .cf file):
#
# FEATURE(`delay_checks')
# FEATURE(`greet_pause', `500')
# FEATURE(`ratecontrol', `nodelay', `terminate')
# FEATURE(`conncontrol', `nodelay', `terminate')
#
# ratecontrol and conncontrol also need corresponding options ClientRate:
# and ClientConn: in the access file, see documentation for ratecontrol and
# conncontrol in the sendmail/cf/README file.
#

[Definition]

# Option: failregex
# Notes.: regex to match rejected connections in the logfile.
# Values: TEXT
#
failregex = (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=<HOST>, relay=.*, reject=421 4.3.2 Too many open connections.$
	    (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=<HOST>, relay=.*, reject=421 4.3.2 Connection rate limit exceeded.$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: rejecting commands from .* \[<HOST>\] due to pre-greeting traffic after \d+ seconds$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=\[.*\], reject=550 5.7.1 \<.*\>... Relaying denied. IP name lookup failed \[<HOST>\]$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[.*\] \(may be forged\), reject=550 5.7.1 \<.*\>... Relaying denied. IP name possibly forged \[<HOST>\]$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[<HOST>\], reject=550 5.7.1 \<.*\>... Relaying denied. Proper authentication required.$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[<HOST>\].*, reject=550 5.1.1 \<.*\>... User unknown$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[<HOST>\].*, reject=553 5.1.8 \<.*\>... Domain of sender address .* does not exist$
	    (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\]: (?i)(EXPN|VRFY) .* \[rejected\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =  



Document History

15-Aug-2012Initial publication
25-Aug-2012Additional needed configure line added in roundcube.conf
01-Mar-2013Additional regex line added in sendmail.conf
18-May-2013Adjusted regex line in sendmail-auth.conf and sendmail.conf
20-May-2013Sendmail configuration options added in sendmail.conf
11-Aug-2013Adjusted regex line in sendmail-auth.conf and added additional regex line in sendmail.conf
02-Dec-2013Added link to Fail2ban action with external script
04-May-2014Added note to Sendmail filters regarding fail2ban version 0.9.0 and later

Fabian Wenk last update 04-May-2014