/etc/fail2ban/jail.conf where changes seem to take effect but also found
/etc/fail2ban/jail.d/mailinabox.conf that I can’t see any reference to but it does get used. How is this MIAB conf file included in the fail2ban configuration & in what order do they get used?
I don’t really understand the question. Fail2ban reads system and daemon logs (such as Dovecot, Postfix, nginx) and detects malicious patterns from IP addresses. If these patterns exceed a certain threshold, Fail2Ban blocks traffic from that IP address.
That is how Mail-in-a-Box implements Fail2Ban.
If you SSH to your MIAB server and issue the command
ls /etc/fail2ban/ you will see there is a jail.conf file that the application uses as its configuration. Within this file you can set up what ‘jails’ you would like to enable.
If you then issue the command
ls /etc/fail2ban/jail.d/ you will see a file called mainabox.conf.
My query: How does fail2ban know to use mailinabox.conf ?
Why am I asking? I have noticed brute-force attempts for SASL logins that are not being blocked by fail2ban so I investigated and am now wondering about the “why’s and how’s” of MIAB.
use ack to locate the string “mailinabox.conf” under
grep -rnw '/etc/fail2ban/' -e 'mailinabox'
/etc/fail2ban/filter.d/miab-management-daemon.conf:9:_daemon = mailinabox
Try this instead:
grep -rnw '/etc/fail2ban/' -e '*mailinabox*'
IDK why you are trying to search through fail2ban configuration files in a postfix dir, but postfix and fail2ban don’t integrate like that. F2B scans log files for regular expressions.
You’re right, that was a typo and I was in the middle of something so I didn’t notice. I’ve edited my post now.
All I find by running that command is a mention within jail.d so I don’t know how fail2ban knows to call it. I’m wondering if the mailinabox.conf file is just an example I should copy or not. It doesn’t seem to block brute force sasl logins on submission port.
Fail2ban is probably loading the file because it’s in the jail.d folder. as for the brute force bits, IDK why it’s not blocking that. If you want, we can move to PM’s and you can send me logs and we can see if maybe the logging pattern has changed.
I’ve undone my changes to
/etc/fail2ban/jail.conf and reloaded fail2ban so will see if it behaves properly without my meddling. Thanks for replying & offering to go through logs with me.
FYI: SASL uses the default postfix.conf filter rules (the mailinabox.conf file just enables the sasl filter and changes none of the defaults, go to jail.conf to see defaults ).
Do the brute force login attempts actually violate any of fail2ban’s rules i.e. do you have more than X login attempts in Y minutes? You can find X and Y in jail.conf as “maxretry” and “findtime” - default values are 5 and 10 minutes respectively. So if you don’t have more than 5 login attempts in 10 minutes then the IP address will not be banned. Even if it is banned, the default ban time is only 10 minutes anyway, so after 10 minutes login attempts could resume.
You could adjust these params for the sasl jail but beware that uprades may override them.