Fail2Ban (http://wikipedia.org/wiki/Fail2ban) protects your server against intruders who try brute force to guess passwords.
Enables you to monitor standard services such as SSH, Apache, etc..
Furthermore, AXIGEN can be secured against password attacks.
The following steps are necessary:
The steps may differ depending on your distribution.
Step 1: Install Fail2Ban
Step 2: Create a shell script:
#!/bin/bash # $1 - log file to be used LOG_AXI="/var/opt/axigen/log/everything.txt" if [ -z "$1" ] then LOG_SEC=/var/opt/axigen/log/secure.txt else LOG_SEC="$1" fi tail --retry --follow=name "$LOG_AXI" | while read l do timestamp=$(date '+%d-%m-%Y %T') case "$l" in *"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*) sid=$(echo "$l" | awk '{print $6}') if [ -n "$sid" ] then con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g') if [ -n "$con_ip" ] then echo "$timestamp $l from $con_ip" >> "$LOG_SEC" fi fi ;; esac done
Step 3: Make sure that there script runs automatically, for example, /etc/inittab
Notes:
If AXIGEN writes the log file to another location, please kindly adjust the path to the variable $ LOG_AXI.
For secure.txt file a log Rotate should be established
Test the script as follows:
Start the script
Check the contents of secure.txt
Run a false login with, this should be reported as follows
18-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user ‘user1@localdomain’: Invalid password from 192.168.1.101
Step 4: Create a new module Fail2Ban to, for example, axigen.cfg under /etc/fail2ban/filter.d
With content:
# Fail2Ban configuration file [Definition] failregex = from <HOST>
Step 5: Configure Fail2Ban where you expand the jail.conf under /etc/fail2ban to block the following:
[axigen] enabled = true filter = axigen port = all logpath = /var/opt/axigen/log/secure.txt bantime = 100 maxretry = 3 banaction = iptables-allports
The maximum number of failed attempts, spell-time and path please adjust accordingly.
Then please restart fail2ban.
From http://www.axigenmailgate.de/forum/archive/index.php/t-935.html