Ochrona przed brute force attacks z użyciem fail2ban

Od jakiegoś czasu sporo w logach postfixa mam prób logowania co wyglada jak:
Jan 14 12:18:58 8px postfix/smtpd[26176]: connect from unknown[188.0.168.250] Jan 14 12:18:58 8px postfix/smtpd[26176]: lost connection after AUTH from unknown[188.0.168.250] Jan 14 12:18:58 8px postfix/smtpd[26176]: disconnect from unknown[188.0.168.250]
Metoda na blokade tego jest prosta :) fail2ban.
Na początek tworzymy sobie regułę.
touch /etc/fail2ban/filter.d/postfix-auth.conf vim /etc/fail2ban/filter.d/postfix-auth.conf
zawartość pliku:
# Fail2Ban configuration file [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)slost connection after AUTH from .*\[\]$ ignoreregex =
Teraz dodajemy to do fail2bana:
vim /etc/fail2ban/jail.conf
Treść wpisu:
[postfix-auth] enabled = true port = smtp,ssmtp filter = postfix-auth action = iptables[name=SMTP-auth, port=smtp, protocol=tcp] logpath = /var/log/mail.log maxretry = 2 bantime = 3600 findtime = 300
Teraz resetujemy fail2ban
/etc/init.d/fail2ban restart
I to wszystko :)