fail2ban is software which provides an IPS (intrusion prevention system). It scans log files for malicious activity, such as failed logins, and takes actions, such as updating a firewall’s configuration to block offending IPs.
This page shows how we use fail2ban for Cloud customers to block IPs with repeated SMTP login failures.
Since fail2ban is third party software, we do not support it for On-Premise customers, but you’re welcome to use the documentation below as a resource for setting it up.
These instructions were tested in CentOS 6 and CentOS 7 installations that use iptables. They may require modification for other environments.
Install and enable fail2ban if not already present. This step is outside the scope of this document, but there are some resources like this one available on the topic.
Create a filter so that fail2ban will know how to parse GreenArrow’s log files:
echo "[Definition] failregex = smtpd: smtp-auth authentication failure from \(<HOST>\) for username" > /etc/fail2ban/filter.d/greenarrow-smtpd.conf
Configure fail2ban to check GreenArrow’s SMTP log files for login failures:
echo " [greenarrow-smtpd] enabled = true filter = greenarrow-smtpd action = iptables-allports[name=SMTP] logpath = /var/hvmail/log/qmail-smtpd*/current" >> /etc/fail2ban/jail.local
service fail2ban restart