Udgivet den

Secure AXIGEN against brute-force with Fail2Ban [Linux]

Fail2Ban (http://wikipedia.org/wiki/Fail2ban) protects your server against intruders who try brute force to guess passwords.
Enables you to monitor standard services such as SSH, Apache, etc..

Furthermore, AXIGEN can be secured against password attacks.

The following steps are necessary:
The steps may differ depending on your distribution.

Step 1: Install Fail2Ban
Step 2: Create a shell script:

#!/bin/bash
# $1 - log file to be used
LOG_AXI="/var/opt/axigen/log/everything.txt"
if [ -z "$1" ]
 then
 LOG_SEC=/var/opt/axigen/log/secure.txt
 else
 LOG_SEC="$1"
 fi
tail --retry --follow=name "$LOG_AXI" | while read l
 do
 timestamp=$(date '+%d-%m-%Y %T')
 case "$l" in
 *"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*) sid=$(echo "$l" | awk '{print $6}')
 if [ -n "$sid" ]
 then
 con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g')
 if [ -n "$con_ip" ]
 then
 echo "$timestamp $l from $con_ip" >> "$LOG_SEC"
 fi
 fi
 ;;
 esac
 done

Step 3: Make sure that there script runs automatically, for example, /etc/inittab

Notes:
If AXIGEN writes the log file to another location, please kindly adjust the path to the variable $ LOG_AXI.
For secure.txt file a log Rotate should be established
Test the script as follows:
Start the script
Check the contents of secure.txt
Run a false login with, this should be reported as follows

18-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user ‘user1@localdomain’: Invalid password from 192.168.1.101

Step 4: Create a new module Fail2Ban to, for example, axigen.cfg under /etc/fail2ban/filter.d
With content:

# Fail2Ban configuration file
[Definition]
failregex = from <HOST>

Step 5: Configure Fail2Ban where you expand the jail.conf under /etc/fail2ban to block the following:

[axigen]
enabled = true
filter = axigen
port = all
logpath = /var/opt/axigen/log/secure.txt
bantime = 100
maxretry = 3
banaction = iptables-allports

The maximum number of failed attempts, spell-time and path please adjust accordingly.
Then please restart fail2ban.

 

From http://www.axigenmailgate.de/forum/archive/index.php/t-935.html