Date:  Mon, 14 Apr 2008 13:26:22 +0200
From:  Roman Buerkle <buerkle (at mark) stimme.net>
Subject:  [coba-e:12559] Re: fail2ban for BQ
To:  coba-e (at mark) bluequartz.org
Message-Id:  <1208172382.3545.17.camel@silverbird>
In-Reply-To:  <918C728F-1867-4A3B-8D71-BF65A86B3A70 (at mark) kommunity.net>
References:  <1200665372.3555.39.camel (at mark) silverbird>	 <cfc6b7240801181003m364e58cer8b08d476f2540e4a (at mark) mail.gmail.com>	 <918C728F-1867-4A3B-8D71-BF65A86B3A70 (at mark) kommunity.net>
X-Mail-Count: 12559

Hi @ll, 

i now have the fail2ban-script running on all my BQ CentOS4 boxes.

The problem with the python-version was backported, so the latest 0.8.2
works great with python>= 2.3 / with CentOS4.

Sources can be found under www.fail2ban.org

Till now, i just use the sshd and proftpd-filter. To make the
proftpd-filter work, here's my fixed config for BQ:

----snipp-----
[root (at mark) serv1 filter.d]# pwd
/etc/fail2ban/filter.d
[root (at mark) serv1 filter.d]# cat proftpd.conf 
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 665 $
# RoB: adapted to BQ

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from
\S* ?\[[0-9.]+\] to \S+\s*$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect
password\. $
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login
attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\)
exceeded$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
----snipp-----

The sshd-filter worked without any modification.

Greets
Roman



On Mon, 2008-04-14 at 11:21 +0200, Tom M端ller-Kortkamp wrote:
> Hi,
> as the pop3 bruteforces get worse searched around and found fail2ban  
> for centos4 on rpmforge...
> 
> I started with a simple config for proftpd and let you know ...
> Will expand with dovecot and sshd if its working ...
> 
> Am 18.01.2008 um 19:03 schrieb Doug Harvey:
> > If you find a solution, please do let me know. I am hit pretty hard  
> > every night and would love something like this.
> >
> > Doug
> >
> > On Jan 18, 2008 6:09 AM, Roman Buerkle < buerkle (at mark) stimme.net> wrote:
> > Hi @ll,
> >
> > we try to get a fail2ban daemon running on a BQ.
> >
> > I can't establish the current stable fail2ban-0.8.1, because it needs
> > python>= 2.4, which is not in CentOS4.
> >
> > So, does anyone of you have a fail2ban-0.6.x (python>=2.3) with the
> > fitting reg-expressions for sshd, proftp, sendmail and httpd for our
> > beloved BQ's?
> >
> > Greets
> > RoB
> >
> > -LINUX - sooner or later we emulate u -
> >
> >
> >
> >
> 
> --
> kommunity GmbH & Co.KG
> Goseriede 4, D-30159 Hannover
> ------------
> Phone +49 (0)5 11 - 80 72 58 - 0
> Fax +49 (0)5 11 - 80 72 58 - 10
> ------------
> Sitz der Gesellschaft: Hannover,
> Registergericht: Amtsgericht Hannover,
> Handelsregisternummer HRA 26721
> 
> 
> Pers旦nlich haftende Gesellschafterin:
> kommunity Verwaltungsgesellschaft mbH
> vertreten durch den Gesch辰ftsf端hrer
> Tom M端ller-Kortkamp
> Sitz der Gesellschaft: Hannover,
> Registergericht: Amtsgericht Hannover,
> Registernummer HRB 60200
> 
> 
> 
> 
>