| I have created a few filters for Fail2ban, which I did post to the Fail2ban
users mailing list in the message Contribution
of filters for DAViCal, Roundcube and Sendmail. But unfortunately the
mailing list archive does not contain the attached files. So I publish
them here.
If you see any error or typo on this page, or have some other addition, please send an e-mail. I also created Fail2ban action with external script. |
Table of Contents |
DAViCalThis filter is for DAViCal, a CalDAV / CardDAV server. Copy & paste from below and save it as/etc/fail2ban/filter.d/davical.conf or download the davical.conf file and save it in the
/etc/fail2ban/filter.d/ directory. Read the inline comments
in the file and create a corresponding jail in your
/etc/fail2ban/jail.local file. |
# Fail2Ban configuration file for DAViCal
#
# Author: Fabian Wenk <fabian@wenks.ch>
#
# $Revision$
#
# DAViCal does its logging into the Apache error.log of the corresponding
# virtualhost.
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = \[client <HOST>(:\d+)?\] davical: Login failure: WARN: Invalid username or password., referer: .*$
\[client <HOST>(:\d+)?\] davical: \*\*\*: ERROR:authentication failure for user \'.*\' from host \[.*\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = |
RoundcubeThis filter is for Roundcube, a web mail client. Copy & paste from below and save it as/etc/fail2ban/filter.d/roundcube.conf or download the roundcube.conf file and save it in the
/etc/fail2ban/filter.d/ directory. Read the inline comments
in the file and create a corresponding jail in your
/etc/fail2ban/jail.local file. |
# Fail2Ban configuration file for roundcube webmail # # Author: Fabian Wenk <fabian@wenks.ch> # # $Revision$ # # To have logging information available, it is necessary to adjusting # the following option in config/main.inc.php from Roundcube: # # $rcmail_config['debug_level'] = 1; // not sure, probably not needed # $rcmail_config['log_session'] = true; # # and point in the fail2ban jail config to the correct logfile, # or change also the following config to log to syslog: # # $rcmail_config['log_driver'] = 'syslog'; # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # first line is for Cyrus IMAP (2.4.x) # second line is for Dovecot (2.1.x) # Values: TEXT # failregex = roundcube: IMAP Error: Login failed for .* from <HOST>. AUTHENTICATE PLAIN: authentication failure in .*$ roundcube: IMAP Error: Login failed for .* from <HOST>. AUTHENTICATE PLAIN: Authentication failed. in .*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
SendmailThis filters are for Sendmail, a mail transfer agent (MTA). I have created 2 different filters, sendmail-auth.conf does check for failed logins through SMTP Authentication. And sendmail.conf does check for clients or other servers (mostly spam bots), which usually just generate a lot of "reject" log entries.Important: Starting with fail2ban version 0.9.0, this two filters have been added to the base distribution as sendmail-auth and sendmail-reject, so you do not
need them from here any more.
sendmail-auth.confCopy & paste from below and save it as/etc/fail2ban/filter.d/sendmail-auth.conf or download the sendmail-auth.conf file and save it in the
/etc/fail2ban/filter.d/ directory. Read the inline comments
in the file and create a corresponding jail in your
/etc/fail2ban/jail.local file. |
# Fail2Ban configuration file for sendmail-auth # # Author: Fabian Wenk <fabian@wenks.ch> # # $Revision$ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\]( \(may be forged\)|): possible SMTP attack: command=AUTH, count=\d+$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
sendmail.confCopy & paste from below and save it as/etc/fail2ban/filter.d/sendmail.conf or download the sendmail.conf file and save it in the
/etc/fail2ban/filter.d/ directory. Read the inline comments
in the file and create a corresponding jail in your
/etc/fail2ban/jail.local file. |
# Fail2Ban configuration file for sendmail # # Author: Fabian Wenk <fabian@wenks.ch> # # $Revision$ # # Some of the below failregex will only work properly, when the following # options are set in the .mc file (see your Sendmail documentation on how # to modify it and generate the corresponding .cf file): # # FEATURE(`delay_checks') # FEATURE(`greet_pause', `500') # FEATURE(`ratecontrol', `nodelay', `terminate') # FEATURE(`conncontrol', `nodelay', `terminate') # # ratecontrol and conncontrol also need corresponding options ClientRate: # and ClientConn: in the access file, see documentation for ratecontrol and # conncontrol in the sendmail/cf/README file. # [Definition] # Option: failregex # Notes.: regex to match rejected connections in the logfile. # Values: TEXT # failregex = (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=<HOST>, relay=.*, reject=421 4.3.2 Too many open connections.$ (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=<HOST>, relay=.*, reject=421 4.3.2 Connection rate limit exceeded.$ (sm-mta|sendmail)(?:\[\d+\])?: .*: rejecting commands from .* \[<HOST>\] due to pre-greeting traffic after \d+ seconds$ (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=\[.*\], reject=550 5.7.1 \<.*\>... Relaying denied. IP name lookup failed \[<HOST>\]$ (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[.*\] \(may be forged\), reject=550 5.7.1 \<.*\>... Relaying denied. IP name possibly forged \[<HOST>\]$ (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[<HOST>\], reject=550 5.7.1 \<.*\>... Relaying denied. Proper authentication required.$ (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[<HOST>\].*, reject=550 5.1.1 \<.*\>... User unknown$ (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[<HOST>\].*, reject=553 5.1.8 \<.*\>... Domain of sender address .* does not exist$ (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\]: (?i)(EXPN|VRFY) .* \[rejected\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
Document History |
|
| 15-Aug-2012 | Initial publication |
| 25-Aug-2012 | Additional needed configure line added in roundcube.conf |
| 01-Mar-2013 | Additional regex line added in sendmail.conf |
| 18-May-2013 | Adjusted regex line in sendmail-auth.conf and sendmail.conf |
| 20-May-2013 | Sendmail configuration options added in sendmail.conf |
| 11-Aug-2013 | Adjusted regex line in sendmail-auth.conf and added additional regex line in sendmail.conf |
| 02-Dec-2013 | Added link to Fail2ban action with external script |
| 04-May-2014 | Added note to Sendmail filters regarding fail2ban version 0.9.0 and later |
| 12-Sep-2020 | Adjusted regex line in davical.conf |
| Fabian Wenk | last update 12-Sep-2020 |