Difference between revisions of "HOWTO fail2ban with qpopper"

From Fail2ban
Jump to navigationJump to search
(don't miss the SPC at the end of the line of the failregex expression!)
(Separated OpenSUSE and Debian configs)
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Configuration for qpopper pop3 daemon is done through the following: (this setup was for openSUSE 10.2)
+
Configuration for qpopper pop3 daemon is done as follows:
  
* First make an entry into your jail.conf file.
+
* First make an entry into your jail.conf (/etc/fail2ban/jail.local on Debian/Ubuntu) file.
  
 +
# this is for openSUSE 10.2
 
  [qpopper]
 
  [qpopper]
 
  enabled  = true
 
  enabled  = true
Line 12: Line 13:
 
  maxretry = 5
 
  maxretry = 5
  
* Then create a file in filter.d directory called qpopperlogin.conf This failregex statement was sent to the fail2safe mail list by Sven Neukirchner.
+
# this is for Debian/Ubuntu
 +
[qpopper]
 +
enabled  = true
 +
port    = pop3,pop3s
 +
filter   = qpopperlogin
 +
logpath  = /var/log/mail.log
  
 +
* Then create a file in filter.d directory called qpopperlogin.conf The first failregex statement was sent to the fail2ban mail list by Sven Neukirchner.
 +
 +
# openSUSE
 
  [Definition]
 
  [Definition]
+
  failregex = popper\[[0-9]+\]:\s\[AUTH\]\sFailed\sattempted\slogin\sto\s\S+\sfrom\shost\s(\S+)\s<HOST>(?:\s\[pop_pass\.c.*\])?$
  failregex = popper\[[0-9]+\]: \[AUTH\] Failed attempted login to \S+ from host (\S+) <HOST>(?:\s  
 
\[pop_pass\.c.*\])?$
 
 
  ignoreregex =
 
  ignoreregex =
  
###
+
# Debian/Ubuntu
# for strings like  
+
  [Definition]
# Oct 16 14:42:00 alpha popper[25364]: anton at 123.234.40.66 (123.234.40.66): -#ERR [AUTH] Password supplied for "anton" is incorrect. [pop_pass.c:1173]
+
failregex = popper\[[0-9]+\]:.*\(<HOST>\):\ -ERR\ \[AUTH\]\
# use
+
ignoreregex =
# failregex = \(<HOST>\):\ -ERR\ \[AUTH\]
 
###
 
 
 
That should do it!
 

Latest revision as of 21:38, 16 December 2011

Configuration for qpopper pop3 daemon is done as follows:

  • First make an entry into your jail.conf (/etc/fail2ban/jail.local on Debian/Ubuntu) file.
# this is for openSUSE 10.2
[qpopper]
enabled  = true
port     = pop3
filter   = qpopperlogin
action   = iptables[name=%(__name__)s, port=%(port)s]
           sendmail-whois[name=qpopper, dest=you@mail.com]
logpath  = /var/log/mail
maxretry = 5

# this is for Debian/Ubuntu
[qpopper]
enabled  = true
port     = pop3,pop3s
filter   = qpopperlogin
logpath  = /var/log/mail.log
  • Then create a file in filter.d directory called qpopperlogin.conf The first failregex statement was sent to the fail2ban mail list by Sven Neukirchner.
# openSUSE
[Definition]
failregex = popper\[[0-9]+\]:\s\[AUTH\]\sFailed\sattempted\slogin\sto\s\S+\sfrom\shost\s(\S+)\s<HOST>(?:\s\[pop_pass\.c.*\])?$
ignoreregex =

# Debian/Ubuntu
[Definition]
failregex = popper\[[0-9]+\]:.*\(<HOST>\):\ -ERR\ \[AUTH\]\
ignoreregex =
Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=HOWTO_fail2ban_with_qpopper&oldid=4412"