[email protected]
[Top] [All Lists]

Bug#407404: marked as forwarded (fail2ban: automatic enable for sections

Subject: Bug#407404: marked as forwarded fail2ban: automatic enable for sections if log files exist
From: Debian Bug Tracking System
Date: Thu, 18 Jan 2007 07:03:36 -0800
Your message dated Thu, 18 Jan 2007 09:50:03 -0500
with message-id <[email protected]>
has caused the Debian Bug report #407404,
regarding fail2ban: automatic enable for sections if log files exist
to be marked as having been forwarded to the upstream software
author(s) Cyril Jaquier <[email protected]>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Subject: Re: Bug#407404: fail2ban: courierlogin rules are not triggered
From: Yaroslav Halchenko
Date: Thu, 18 Jan 2007 09:50:03 -0500
severity 407404 wishlist
retitle 407404 fail2ban: automatic enable for sections if log files exist

1. I don't see why it has to be on by default: courier is not even a
default MTA on the Debian system, and exim is not using courierlogin by
default. Correct me if I am wrong

2. For banning multiple ports you would need to use either
iptables-multiport action, or iptables with no port (actually I think it
is worth adding it but then all traffic would need to go through that
chain), or shorewall action. Indeed, while dealing with MTAs it is
useful to ban at least smtp, and smtps. While with authenticators like
courierlogin - since we don't know really where attemtp came from - then
all, smtp, smtps, imap, imaps, pop, pops should be banned

Ok, so now let me rephrase your bug to something which could be fixed:

1. Since debian kernel comes with multiport module for iptables - I will
make iptables-multiport default one and will adjust corresponding jails
to ban multiple ports. Since multiport banning is described in
README.Debian I consider this of wishlist level.

Cyril, do you think it is a good idea?

2. Wishlist: Cyril, it might be good to have another value for enabled -
"auto". For that, fail2ban would check if there are any logfiles, and
enable the jail if there is any. Optional parameter "autoage" might be
introduced to enable jail only if any file is newer than specified age
(like 2-3 days). That would allow to don't enable monitoring of services
which are no longer active.

Cyril, please let me know what you think

On Thu, 18 Jan 2007, Wladimir Mutel wrote:

> Package: fail2ban
> Version: 0.7.6-1
> Severity: normal

>       Hi,

>       It seems that courierlogin filter is just turned off in default
>       fail2ban configuration. Recently I have been scanned by pop3
>       protocol, someone tried to guess logins/passwords for my
>       mailbox, fortunately without success, but fail2ban did nothing
>       to filter it.

>       I think it should filter that attacker's IP by ports
>       25,110,143,993,995, and 465. And that reference to courierlogin
>       filter should be included in default fail2ban config.

>       Thank you in advance for your work.

> -- System Information:
> Debian Release: 4.0
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'stable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-3-k7
> Locale: LANG=uk_UA.UTF-8, LC_CTYPE=uk_UA.UTF-8 (charmap=UTF-8)

> Versions of packages fail2ban depends on:
> ii  iptables       administration tools for packet 
> fi
> ii  lsb-base                3.1-22           Linux Standard Base 3.1 init 
> scrip
> ii  python                  2.4.4-2          An interactive high-level 
> object-o
> ii  python-central          0.5.12           register and build utility for 
> Pyt

> fail2ban recommends no packages.

> -- debconf-show failed

=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     ([email protected]|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#407404: marked as forwarded (fail2ban: automatic enable for sections if log files exist), Debian Bug Tracking System <=