Difference between revisions of "ASSP"

From Fail2ban
Jump to: navigation, search
m
(note its inclusion in mainline 0.8.9+)
Line 1: Line 1:
 
== ASSP filter for Fail2ban ==
 
== ASSP filter for Fail2ban ==
  
Create a new configuration file with the contents below: '''/etc/fail2ban/filter.d/assp.conf'''
+
Included since fail2ban-0.8.9
  
# Fail2Ban configuration file
+
If you have an older version grab a copy of the filter from [https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/assp.conf Latest Version] or use this version (which may be out of date). Place this in the file '''/etc/fail2ban/filter.d/assp.conf'''.
#
+
 
# Author: Viktor Ferenczi (python <at-here> cx <dot-here> hu)
+
<pre>
#
+
# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
+
#  
[Definition]
+
#   Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+
#   ProjektSite: http://sourceforge.net/projects/assp/?source=directory
# Option:  failregex
+
#
# Notes.: regex to match the SMTP failure messages in the logfile. The
+
#
#         host must be matched by a group named "host". The tag "<HOST>" can
+
 
#         be used for standard IP/hostname matching and is only an alias for
+
[Definition]
#         (?:::f{4,6}:)?(?P<host>\S+)
+
 
# Values:  TEXT
+
__assp_actions = (?:dropping|refusing)
#
+
 
# Example: Nov-14-09 00:14:50 54090-05322 201.244.255.72 <badguy@gtgwhhrthrth.com> [SMTP Error] 550 5.1.1 User unknown: your.user@your-domain.com
+
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
failregex = .*? \d{5}-\d{5} <HOST> <.*?> \[SMTP Error\] (.*)  
+
                        ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+
                        ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
# Option: ignoreregex
+
 
# Notes.: regex to ignore. If this regex matches, the line is ignored.
+
</pre>
# Values:  TEXT
+
#
+
ignoreregex =
+
  
  

Revision as of 00:42, 13 November 2013

ASSP filter for Fail2ban

Included since fail2ban-0.8.9

If you have an older version grab a copy of the filter from Latest Version or use this version (which may be out of date). Place this in the file /etc/fail2ban/filter.d/assp.conf.

# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
# 
#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
#

[Definition] 

__assp_actions = (?:dropping|refusing)

failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
                        ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
                        ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$


Add this section to your /etc/fail2ban/jail.conf file:

[assp]

enabled  = true
port     = smtp,ssmtp
filter   = assp
action   = iptables[name=ASSP, port=25, protocol=tcp]
           sendmail-whois[name=ASSP, dest=email@domain.com]
logpath  = /var/log/assp/maillog.txt


IMPORTANT: Symlink the logs subdirectory of your ASSP installation as /var/log/assp or change the logpath in your jail configuration to point to ASSP's maillog.txt file.

Don't forget to restart fail2ban.

Check the end of your fail2ban.log whether fail2ban picked up ASSP's log file.