Fail2Ban (http://wikipedia.org/wiki/Fail2ban) protects your server against intruders who try brute force to guess passwords.
Enables you to monitor standard services such as SSH, Apache, etc..
Furthermore, AXIGEN can be secured against password attacks.
The following steps are necessary:
The steps may differ depending on your distribution.
Step 1: Install Fail2Ban
Step 2: Create a shell script:
#!/bin/bash
# $1 - log file to be used
LOG_AXI="/var/opt/axigen/log/everything.txt"
if [ -z "$1" ]
then
LOG_SEC=/var/opt/axigen/log/secure.txt
else
LOG_SEC="$1"
fi
tail --retry --follow=name "$LOG_AXI" | while read l
do
timestamp=$(date '+%d-%m-%Y %T')
case "$l" in
*"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*) sid=$(echo "$l" | awk '{print $6}')
if [ -n "$sid" ]
then
con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g')
if [ -n "$con_ip" ]
then
echo "$timestamp $l from $con_ip" >> "$LOG_SEC"
fi
fi
;;
esac
done
Step 3: Make sure that there script runs automatically, for example, /etc/inittab
Notes:
If AXIGEN writes the log file to another location, please kindly adjust the path to the variable $ LOG_AXI.
For secure.txt file a log Rotate should be established
Test the script as follows:
Start the script
Check the contents of secure.txt
Run a false login with, this should be reported as follows
18-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user ‘user1@localdomain’: Invalid password from 192.168.1.101
Step 4: Create a new module Fail2Ban to, for example, axigen.cfg under /etc/fail2ban/filter.d
With content:
# Fail2Ban configuration file
[Definition]
failregex = from <HOST>
Step 5: Configure Fail2Ban where you expand the jail.conf under /etc/fail2ban to block the following:
[axigen]
enabled = true
filter = axigen
port = all
logpath = /var/opt/axigen/log/secure.txt
bantime = 100
maxretry = 3
banaction = iptables-allports
The maximum number of failed attempts, spell-time and path please adjust accordingly.
Then please restart fail2ban.
From http://www.axigenmailgate.de/forum/archive/index.php/t-935.html