blacklistd | fail2ban | sshguard
DRAFT - we didn’t get postfix-sasl to actually ban hosts, although attacks were detected. only ssh attackers were taken into account. as a result, we are better of with sshguard
systemctl stop sshguard systemctl disable sshguard systemctl list-unit-files | grep tables systemctl stop iptables systemctl disable iptables apt install fail2ban nftables systemctl start nftables systemctl enable nftables
eventually change the defaults to strenghten it more and avoid dns delays
cd /etc/fail2ban/ mv -i jail.conf jail.conf.dist grep -vE '^#|^$' jail.conf.dist > jail.conf.clean grep -vE '^#|^$' jail.conf.dist > jail.conf vi jail.conf bantime = 12h usedns = no [pam-generic] enabled = true [recidive] enabled = true protocol = 0-255
also switch Netfilter frontends and block all ports whatever protocol got catched
vi jail.conf :%s/iptables/nftables/g banaction = nftables-allports banaction_allports = nftables-allports
tune your ssh port
vi /etc/fail2ban/jail.conf [sshd] port = 2222
and make sure the email filters are enabled
vi jail.conf [postfix] enabled = true [postfix-rbl] enabled = true [postfix-sasl] enabled = true [dovecot] enabled = true
systemctl restart nftables.service systemctl restart fail2ban systemctl enable fail2ban
tail -F /var/log/syslog fail2ban-client status fail2ban-client banned
for a Postfix container providing its logs into /data/postfixprod/, you need to enable a specific filter
cd /etc/fail2ban/jail.d/ vi postfixprod.conf [postfix-auth] enabled = true port = smtp,ssmtp filter = postfix-auth action = iptables[name=SMTP-auth, port=smtp, protocol=tcp] logpath = /data/postfixprod/mail.log
you should now see the new Iptables chains that are going to be maintained automatically (-n to avoid no-resolve delays),
iptables -L -n iptables -L f2b-SMTP-auth -n watch iptables -L f2b-SMTP-auth -n
https://github.com/fail2ban/fail2ban
https://wiki.archlinux.org/title/Fail2ban ==> nftables
[FW] https://wiki.meurisse.org/wiki/Fail2Ban ==> recidive setup
https://github.com/fail2ban/fail2ban/issues/2763 ==> pam-generic
https://www.howtogeek.com/675010/how-to-secure-your-linux-computer-with-fail2ban/
https://serverfault.com/questions/873068/fail2ban-with-nftables-and-ipv6
https://superuser.com/questions/1767080/how-to-ban-subnet-with-fail2ban-and-nftables
https://www.the-art-of-web.com/system/systemd-fail2ban-nftables/
https://github.com/fail2ban/fail2ban/blob/master/config/action.d/nftables.conf
https://wiki.gbe0.com/linux/firewalling-and-filtering/nftables/fail2ban
https://serverfault.com/questions/382858/in-fail2ban-how-to-change-the-ssh-port-number
https://bobcares.com/blog/fail2ban-postfix-sasl/
https://rawsec.ml/en/block-automated-scanners-from-scanning-a-website/
http://sysadmin-notepad.blogspot.fr/2016/06/using-fail2ban-to-protect-postfixsmtpd.html
https://www.maxoberberger.net/blog/2016/01/protect-against-postfix-auth-dos.html
https://serverfault.com/questions/335983/postfix-connection-lost-after-auth
https://serverfault.com/questions/1107053/fail2ban-posfix-sasl-not-working
http://www.fail2ban.org/wiki/index.php/Postfix
https://serverfault.com/questions/1030249/fail2ban-wont-ban-postfix-smtps-smtpd
https://unix.stackexchange.com/questions/630718/fail2ban-not-banning-ssh
https://github.com/fail2ban/fail2ban/issues/2856
https://serverfault.com/questions/825811/why-is-fail2ban-finding-but-not-banning
https://computingforgeeks.com/install-and-configure-fail2ban-on-centos-rhel/
[FW] https://forum.howtoforge.com/threads/fail2ban-postfix-sasl-does-not-exist.83720/
https://kb.vander.host/security/fail2ban-postfix-sasl-troubleshooting/
https://stackoverflow.com/questions/20720129/fail2ban-not-banning-ssh-bruteforce-but-regex-works