Postfix-Einstellungen für Blocklist

Alle Fragen, die rund um Fail2Ban (Konfiguration, Fehler, Filter...) sind.
Antworten
Benutzeravatar
Despe.de
Beiträge: 5
Registriert: 14. Nov 2010, 22:03
Wohnort: Wiesbaden
Kontaktdaten:

Postfix-Einstellungen für Blocklist

Beitrag von Despe.de »

Moinmoin :)
Erstma super das Ihr sowas auf die Beine gestellt habt!

Zur Sache
Hetzner EQ4 im Xen-Modus, Deb Lenny + DotDeb, Postfix, Dovecot, Froxlor, Bot-trap, Webmin (zwecks Faulheit Logs zu durchsuchen)


Ich hab gestern Nacht recht viel mit Fail2ban experimentiert, daher schonma ein Sorry, falls bei Euch das Postfach überläuft :/

Derzeit nutz ich folgende Einstellung vom Postfix:

main.cf

Code: Alles auswählen

smtpd_recipient_restrictions =
	reject_non_fqdn_sender,
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_invalid_helo_hostname,
	reject_non_fqdn_helo_hostname,
	reject_invalid_hostname,
	reject_unlisted_recipient,
	reject_unauth_destination,
	reject_non_fqdn_recipient,
	reject_sender_login_mismatch,
	reject_rbl_client bl.blocklist.de,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client ix.dnsbl.manitu.net,
	reject_rbl_client cbl.abuseat.org,
	reject_rbl_client dialup.blacklist.jippg.org,
	reject_rbl_client dnsbl-1.uceprotect.net,
	permit
derzeitige jail.conf

Code: Alles auswählen

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 89.149.254.157 89.149.237.105 89.149.242.40 80.67.29.225 78.46.95.41 89.149.201.23 85.181.13.140
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = info@despe.de

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6


[ssh-iptables]

enabled  = true
filter   = sshd
maxentry = 3
logpath  = /var/log/auth.log
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois-lines[name=ssh, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]
bantime  = 2419200


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = True
port	= http,https
filter	= apache-auth
#logpath = /var/log/apache*/*error.log
logpath = /var/kunden/logs/*-error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = True
port	  = http,https
filter	  = apache-auth
#logpath   = /var/log/apache*/*error.log
logpath = /var/kunden/logs/*-error.log
maxretry  = 6


[apache-noscript]

enabled = True
port    = http,https
filter  = apache-noscript
#logpath = /var/log/apache*/*error.log
logpath = /var/kunden/logs/*-error.log
maxretry = 6


[apache-overflows]

enabled = True
port    = http,https
filter  = apache-overflows
#logpath = /var/log/apache*/*error.log
logpath = /var/kunden/logs/*-error.log
maxretry = 2


[apache-badbots]

enabled  = true
filter   = apache-badbots
maxretry = 1
#logpath  = /var/log/apache2/access.log
logpath  = /var/kunden/logs/*-error.log
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]
bantime  = 2419200


[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables[name=w00tw00t, port=80, protocol=tcp]
           sendmail-whois[name=w00tw00t, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]
logpath  = /var/kunden/logs/*.log
maxretry = 1
bantime  = 2419200


#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = True
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[proftpd-iptables]

enabled  = true
filter   = proftpd
maxentry = 6
logpath  = /var/log/auth.log
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois-lines[name=proftpd, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[postfix-tcpwrapper]

enabled  = true
filter   = postfix
maxretry = 3
logpath  = /var/log/mail.log
action   = iptables[name=POSTFIX, port=25, protocol=tcp]
           sendmail-whois-lines[name=postfix, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]


[postfix-blacklist]

enabled  = true
filter   = postfix-blacklist
maxretry = 2
logpath  = /var/log/mail.log
action   = iptables[name=POSTFIX, port=25, protocol=tcp]
           sendmail-whois-lines[name=postfix, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
#action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
action   = iptables-multiport[name=Dovecot-pop3imap, port=pop3,imap, protocol=tcp]
           sendmail-whois-lines[name=Dovecot, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]
logpath = /var/log/mail.log
maxretry = 3


[sasl]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 20
#action   = iptables[name=SASL, port=smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s, protocol=tcp]
#           sendmail-whois-lines[name=SASL, dest=info@despe.de, sender=info@despe.de, logpath=%(logpath)s]



[sasl-iptables]

enabled  = true
filter   = sasl
#backend  = polling
maxentry = 5
logpath  = /var/log/mail.log
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois-lines[name=sasl, dest=fail2ban@blocklist.de, sender=info@despe.de, logpath=%(logpath)s]
           
#
# WEBMIN
#


[webmin-iptables]

enabled  = true
filter   = webmin
action   = iptables[name=sasl, port=10001, protocol=tcp]
          sendmail-whois-lines[name=sasl, dest=fail2ban@blocklist.de, sender=fail2ban@DEINE-DOMAIN, logpath=%(logpath)s]
logpath  = /var/log/webmin/miniserv.log
maxretry = 4
           
# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Es sind einige Einträge doppelt drin, da ich Eure Default-Config erstma nur eingepflegt hab, das Bannen wollte nicht hinhauen * erbete Nachsicht :) *



Interessant ist, das jede Menge an Euch gesendet wird, hätte nicht gedacht, das es doch so viel wird.
Was Spamer angeht, bin ich eigentlich recht ungehalten und block schonma den ein oder anderen mehr, zumindest versuch ichs

Vielleicht zuviel oder zu hart eingestellt, was z.B. "maxretry" angeht?
----------
In diesem Sinne
Donzi

Falconbase
Beiträge: 97
Registriert: 14. Sep 2010, 11:20
Wohnort: Wallersdorf
Kontaktdaten:

Re: Postfix-Einstellungen für Blocklist

Beitrag von Falconbase »

Hi Despe,

wegen der Menge deiner E-Mails macht dir keine Sorgen wir hatten da schon viel mehr. :lol:

Wegen der jail.conf hier hab ich festgestellt das du die Webmin Regel noch nicht angepasst ist.

Code: Alles auswählen

action   = iptables[name=sasl, port=10001, protocol=tcp]
          sendmail-whois-lines[name=sasl, dest=fail2ban@blocklist.de, sender=fail2ban@DEINE-DOMAIN, logpath=%(logpath)s]
Auch reicht es dort nur die postfix und postfix-blacklist Regel zu verwenden, sonst wird hier immer 2-Mal gesperrt.

Wegen der maxretry hier können wir die default-Werte, die wir bei unserer Beispiel-Konfiguration gesetzt haben, empfehlen.
Grüße Falconbase

http://www.kunesch.net

Benutzeravatar
Despe.de
Beiträge: 5
Registriert: 14. Nov 2010, 22:03
Wohnort: Wiesbaden
Kontaktdaten:

Re: Postfix-Einstellungen für Blocklist

Beitrag von Despe.de »

Wegen den Mails, na da bin ich ja beruhigt ^^

Webminregel angepasst und [postfix] ausgemacht. [postfix-tcpwrapper] und [postfix-blacklist] angelassen. Sehs grad in der Log das der wrapper und der normale postfix doppelt bannen.
Der Rest sieht gut aus :)

Vielen Dank :>
----------
In diesem Sinne
Donzi

Falconbase
Beiträge: 97
Registriert: 14. Sep 2010, 11:20
Wohnort: Wallersdorf
Kontaktdaten:

Re: Postfix-Einstellungen für Blocklist

Beitrag von Falconbase »

Hi Donzi,

aktivier lieber die [postfix] und [postfix-blacklist] die werden von Martins System erkannt und dementsprechend verarbeitet.
Grüße Falconbase

http://www.kunesch.net

Benutzeravatar
Despe.de
Beiträge: 5
Registriert: 14. Nov 2010, 22:03
Wohnort: Wiesbaden
Kontaktdaten:

Re: Postfix-Einstellungen für Blocklist

Beitrag von Despe.de »

[postfix] ist nicht in Eurer Default drin o0

[postfix-tcpwrapper] ist drin

un nu ? :>
----------
In diesem Sinne
Donzi

Benutzeravatar
Martin
Beiträge: 401
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Postfix-Einstellungen für Blocklist

Beitrag von Martin »

Hi,

so lange bei:

Code: Alles auswählen

action   = iptables[name=POSTFIX, port=25, protocol=tcp]
           sendmail-whois-lines[name=postfix,
als Name "postfix" steht, werden die Mails korrekt verarbeitet. Die anderen Nachrichten werden dann entsprechend von mir dann manuell eingetragen, bzw. um den Dienst-Namen erweitert, damit diese ebenfalls automatisch abgehandelt werden.

Mfg Martin
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

Antworten