Usou o fail2ban em alguns métodos diferentes, e agora tentou obtê-lo para bloquear as tentativas de invasão via smtp para enviar spam pelo servidor.
Regex corresponde a ok ao testar:
Failregex
|- Regular expressions:
| [1] \[<HOST>\]: 535 Incorrect authentication data
|
'- Number of matches:
[1] 147 match(es)
Cargas de prisão ok:
2014-03-04 21:16:46,162 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-03-04 21:16:46,163 fail2ban.jail : INFO Creating new jail 'exim-auth'
2014-03-04 21:16:46,165 fail2ban.jail : INFO Jail 'exim-auth' uses Gamin
2014-03-04 21:16:46,187 fail2ban.filter : INFO Added logfile = /var/log/exim/main.log
2014-03-04 21:16:46,188 fail2ban.filter : INFO Set maxRetry = 3
2014-03-04 21:16:46,190 fail2ban.filter : INFO Set findtime = 3600
2014-03-04 21:16:46,191 fail2ban.actions: INFO Set banTime = 3600
2014-03-04 21:16:46,205 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2014-03-04 21:16:46,206 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin
2014-03-04 21:16:46,207 fail2ban.filter : INFO Added logfile = /var/log/secure
2014-03-04 21:16:46,208 fail2ban.filter : INFO Set maxRetry = 5
2014-03-04 21:16:46,210 fail2ban.filter : INFO Set findtime = 3600
2014-03-04 21:16:46,211 fail2ban.actions: INFO Set banTime = 3600
2014-03-04 21:16:46,410 fail2ban.jail : INFO Jail 'exim-auth' started
2014-03-04 21:16:46,439 fail2ban.jail : INFO Jail 'ssh-iptables' started
E as proibições ssh ainda estão funcionando ok. Mesmo quando os erros passam pelo log, nada acontece. Todo o tempo em sincronia, syslog, fail2ban e exim tudo reiniciado.
Logon principal do Exim:
2014-03-04 21:16:24 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:24 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
2014-03-04 21:16:30 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:30 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
2014-03-04 21:16:38 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:38 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
(obviamente o xxx e o **** são editados agora).
Config para a seção do jail.conf:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5
[exim-auth]
enabled = true
filter = exim_auth
action = iptables[name=SMTP, port=25, protocol=tcp]
mail[name=EximAuth, dest=jamie@****.co.uk]
logpath = /var/log/exim/main.log
maxretry = 3
O arquivo é analisado corretamente e recebo um e-mail dizendo com sucesso quando a cadeia foi interrompida e iniciada.
filter.d / exim_auth.conf:
# Fail2Ban configuration file
#
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[<HOST>\]: 535 Incorrect authentication data
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Se alguém puder descobrir por que não está acionando, e também por um ponto de bônus onde eu posso executar duas ações do iptables para bloquear as portas 25 e 465, eu realmente aprecio isso.