Fail2ban is an excellent security-improvement to sme-server and for that matter for any (Linux) server on the internet.
It adds a layer of security to the normal firewall and therefore improves the defence-in-depth strategy.
It adds functionally both to host based intrusion detection (detect password attacks and scan attacks, log them and email them) and to intrusion prevention (block ip-'s that are attacking).
This sounds simple and is simple, but is incredably important. Notice also that fail2ban is an functional addition to firewall rules (usually iptables) that block or limit ip-adresses in that fail2ban can additionally detect bruteforce password attacks on ssh, imap and so on.
Fail2ban is written in python, daemonized and easily extendable (as the contrib on sme has extended it for qpsmtpd: good job!)
Read general info about fail2ban here:
manual
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8sme-contrib
http://wiki.contribs.org/Fail2banHowto's
http://www.the-art-of-web.com/system/fail2ban/http://www.the-art-of-web.com/system/fail2ban-howto/http://www.fail2ban.org/wiki/index.php/HOWTOsThe contrib above describes how you can install it on sme8 or sme9
tips & tricks
does it run? /etc/init.d/fail2ban status
restart (after config change): fail2ban-client reload
Or: /etc/init.d/fail2ban stop && /etc/init.d/fail2ban start
sme-style: signal-event fail2ban-conf
What hackers / scans have we caught?
fail2ban-client status
fail2ban-client status imap
fail2ban-client status qpsmtpd
Sme-style:
zgrep -h "Ban " /var/log/fail2ban/daemon.log*
zgrep -h "Ban " /var/log/fail2ban/daemon.log* | awk '{print $NF}' | sort | uniq -c
watch iptables: iptables -vnL --line-numbers
Adjust templates (very optional).
The sme-contrib does not use direct iptables rules, but uses the intermediate signal-event system. I find this unnessesary and a potential source of error (don't fix what is not broken), so I adjusted the source templates back to the original fail2ban code for iptables actions:
Where are the SME-style (contribs) fail2bantemplates?
ls /etc/e-smith/templates/etc/fail2ban/jail.conf/
Make adjusted templates
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cd /etc/e-smith/templates/etc/fail2ban/jail.conf/
cp ./30* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cp ./90* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
ls /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
Adjust templates so that original code is restored when it comes to iptables and the /etc/fail2ban/jail.conf looks like this:
################################### sme jail file NEW
[DEFAULT]
ignoreip = 127.0.0.0/8 .....
bantime = 1800
findtime = 900
maxretry = 3
usedns = yes
backend = auto
[ssh]
enabled = true
filter = sshd
logpath = /var/log/sshd/current
action = iptables[name=SSH, port=ssh, protocol=tcp]
[ssh-ddos]
enabled = true
filter = sshd-ddos
logpath = /var/log/sshd/current
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
[imap]
enabled = true
filter = dovecot
logpath = /var/log/dovecot/current
action = iptables-multiport[name=dovecot, port="143,993", protocol=tcp]
[qpsmtpd]
enabled = true
filter = qpsmtpd
logpath = /var/log/*qpsmtpd/current
maxretry = 9
action = iptables-multiport[name=Qpsmtpd, port="25,465", protocol=tcp]
[http-overflows]
enabled = true
filter = apache-overflows
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-overflows,port="80,443"]
[http-noscript]
enabled = true
filter = apache-noscript
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-noscripts,port="80,443"]
[http-scan]
enabled = true
filter = apache-scan
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-scan,port="80,443"]
[http-auth]
enabled = true
filter = apache-auth
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-auth,port="80,443"]
[pam-generic]
enabled = true
filter = pam-generic
logpath = /var/log/secure
maxretry = 6
action = iptables-allports[name=pam,protocol=all]
[ftp]
enabled = true
filter = proftpd
logpath = /var/log/secure
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/daemon.log
bantime = 604800
findtime = 86400
maxretry = 5
backend = polling
action = iptables-allports[name=recidive,protocol=all]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
################################################################