How to make sure that Fail2ban is working correctly for mail service?

Created:

2017-07-25 05:19:55 UTC

Modified:

2017-08-16 16:39:54 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to make sure that Fail2ban is working correctly for mail service?

Applicable to:

  • Plesk for Linux

Question

How to make sure that Fail2ban is working correctly for mail service?

Answer

1. Login to the server over SSH

2. Check Fail2ban parameters in Tools & Settings > IP Address Banning > Settings. The following example shows that an IP address which makes at least three authentication failures within one hour should be banned:

fail2ban.png

Also, make sure that "Enable intrusion detection" option is enabled as it is shown above.

3. Analyze mail server log for the IP addresses that generate the most frequent failed authentication attempts. Depending on the operating system distribution, it can be logged to /var/log/maillog or /var/log/mail.info . In the following example, entries for July, 25th are analyzed (today's date):

[root@server:~] grep "authentication failed" /var/log/mail.info | grep "Jul 25" | cut -f 7 -d ' '|sort|uniq -c|sort -nr| head -n 15
15 unknown[203.0.113.2]:
15 unknown[203.0.113.4]:
15 unknown[203.0.113.5]:
15 ip-203.0.113.6.example.com[203.0.113.6]:
14 unknown[203.0.113.7]:
14 unknown[203.0.113.8]:
14 unknown[203.0.113.9]:
13 unknown[203.0.113.10]:


4. Select an IP address from the list obtained on the step 3 and check the corresponding time stamps:

[root@server:~] grep "203.0.113.2" /var/log/fail2ban.log | grep "2017-07-25"
​2017-07-25 00:09:09,034 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 00:26:56,393 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:07:42,979 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2​
2017-07-25 01:10:47,253 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:38:31,934 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:50:51,788 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 03:29:23,848 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 03:36:42,253 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2


5. Check /var/log/fail2ban.log for the IP address banning events:

[root@server:~] grep "203.0.113.2" /var/log/fail2ban.log | grep "2017-07-25"
2017-07-25 00:09:09,034 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 00:26:56,393 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:07:42,979 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:10:47,253 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:38:31,934 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 01:50:51,788 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 03:29:23,848 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2
2017-07-25 03:36:42,253 fail2ban.filter        [15768]: INFO    [plesk-postfix] Found 203.0.113.2


If such entries are found, it means Fail2ban is working correctly.

Have more questions? Submit a request
Please sign in to leave a comment.