Knowledge Base » Documentation MailCleaner »
Fail2Ban
MailCleaner Support
Added almost 3 years ago
Note : How to activate fail2ban is describe below in this document |
---|
Fail2ban principle in MailCleaner¶
Let s pick exim jail to illustrate the global principle :
An IP will be blocked in that jail if it provoked 10 errors in /var/mailcleaner/log/exim_stage1/rejectlog over the last 3600 seconds (that is to say the last hour). It will then be blacklisted for 86400 seconds (that is to say 24 hours).
If you activated the fail2ban blacklists, when an IP was jailed 3 times (max_count), it will then be blacklisted.
You can easily find those parameters in the main fail2tables MySQL table :
$ mc_mysql -m mc_config mysql> select * from fail2ban_jail; +----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+ | id | enabled | name | maxretry | findtime | bantime | port | filter | banaction | logpath | max_count | send_mail | send_mail_bl | +----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+ | 1 | 1 | mc-webauth | 10 | 3600 | 86400 | 80,443 | mc-webauth-filter | mc-custom | /var/mailcleaner/log/apache/mc_auth.log | 3 | 0 | 0 | | 2 | 1 | mc-ssh | 3 | 3600 | 86400 | 22 | sshd | mc-custom | /var/log/auth.log | 3 | 0 | 0 | | 3 | 1 | mc-exim | 10 | 3600 | 86400 | 25,465,587 | mc-exim-filter | mc-custom | /var/mailcleaner/log/exim_stage1/rejectlog | 3 | 0 | 0 | +----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+ 3 rows in set (0.00 sec)
Fail2ban Activation¶
IMPORTANT WARNING : Please note that the commands and path may vary depending on your system. In case of problem or doubt please open a ticket we will assist you |
---|
Note : The replication of Fail2ban ( ban/unban ) will be effective every 5 minutes |
---|
If the fail2ban.py command is not found use the complete path to interact with Fail2Ban:
/var/mailcleaner/.pyenv/versions/3.7.7/bin/fail2ban.py
Usage¶
List currently banned IPs on a specific server:
fail2ban-client status <jail>
Show all banned IPs by Fail2ban on all server:
echo 'SELECT * FROM fail2ban_ips WHERE active=true' |mc_mysql -s mc_config -t
Unban an IP in MailCleaner:
fail2ban.py unban -i <ip> -j <jail> --f2b-call
Configuration¶
Note : By default all jails are disabled |
---|
Note : All commands must be run on all cluster's nodes |
---|
Enable a jail:
fail2ban.py jail enable -j <jail>
Enable all jails:
fail2ban.py general enable
Disable all jails:
fail2ban.py general disable
Change value of findtime, bantime or maxretry
fail2ban.py jail change -j <jail> --option <option> -v <value>
Permant Blacklist¶
Blacklist in Fail2ban's integration is a specific jail dynamically created for all jails.
After the specified amount of ban (by default: 3) an ip that would be banned again will be moved to this permant jail (<jail>-bl).
Disable blacklist for a specific jail:
fail2ban.py blacklist disable -j <jail>
Disable blacklist for all jails
fail2ban.py general disable-bl
Enable blacklist for all jails
fail2ban.py general enable-bl -v
value = Max number of ban before blacklist [default: 3]Manually blacklist an IP
fail2ban.py blacklist add -j <jail> -i <ip>
To unban an IP that is currently blacklisted
fail2ban.py blacklist remove -j <jail> -i <ip>
Whitelist¶
If you got specific needs on certain IP that shouldn't be banned at all by a specific jail you can configure it using the following commands
Add an IP to the whitelist
fail2ban.py whitelist add -j <jail> -i <ip>
Remove a whitelisted IP (This command needs to be ran on all server)
fail2ban.py whitelist remove -j <jail> -i <ip>
Advanced User¶
Note : The following section should only be used by user having knowledge of Fail2Ban and is therefore not supported |
---|
Create custom jail¶
In order to create a custom jail in MailCleaner,
you will need to add a specific DB's entry on the master server
echo "INSERT INTO fail2ban_jail (enabled, name, maxretry, findtime, bantime, port, filter, banaction, logpath, max_count) VALUES (<enabled>, '<name>', <maxretry>, <findtime> , <bantime>, '<port>', '<filter>', '<banaction>', '<logpath>', <max_count>);" |mc_mysql -m mc_config
Value | Type |
---|---|
enabled | TinyINT (0 or 1) |
name, filter, banaction, logpath | STRING |
port | STRING (delimiter ',' ) |
maxretry, findtime, bantime | INT |
max_count | INT (disabled = 0) |
Note: For the banaction please add mc-custom to fully integrate your jail in MailCleaner
Start / Restart Fail2Ban¶
/usr/mailcleaner/etc/init.d/fail2ban start | stop | restart
Please be aware that any restart of Fail2Ban will purge the Fail2Ban's jails, meaning that it will start with an empty jail each time.
This doesn't concern the blacklist jails