Updating Fail2ban to block bad guys

I’ve been running fail2ban for a while but it wasn’t catching everything hitting the mail server. I kept seeing these guys with entries like this:
vchkpw-smtp: null password given admin:75.146.111.10
who weren’t getting blocked even though they are hitting the server over and over.

So first i created a test file, maillog.11 with the entries i was interested in, like so:
cd /var/log
grep “null password given” maillog.1 > maillog.11

Then I did some modifying and testing with my fail2ban regex files like this:
fail2ban-regex /var/log/maillog.11 /etc/fail2ban/filter.d/vpopmail.conf

After trying a few regex lines, I found the regex rule needed:
vchkpw-smtp: null password given [^:]*:<HOST>

So that takes care of those clowns, now to look at cutting down on the constant spam bombardment attempts.

We run a cool little spam filter called spamdyke. It makes log entries that look like this:
Oct 13 04:01:33 SERVER spamdyke[2978]: DENIED_RBL_MATCH from: marin@omniweb.com to: marin@omniweb.com origin_ip: 119.154.186.78 origin_rdns: (unknown) auth: (unknown) encryption: (none)

I noticed that the same ip addresses try to spam our server (and get blocked by spamdyke) over and over. GO AWAY ALREADY! OK, so more regex experiments and the gate has been closed on repeat spammers!
Here’s my 3 line regex, the last line now blocks these spamaholics (note the space between the colon and the host sandwich)
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
            vchkpw-smtp: null password given [^:]*:<HOST>
            DENIED_RBL_MATCH from: [^@]*@[^@]*@[^:]*: <HOST>

restarted fail2ban and it blocked a bunch of new ips. ahhhh 🙂

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Updating Fail2ban to block bad guys

Leave a Reply

Your email address will not be published. Required fields are marked *