Fail2Ban is a great tool block remote IP addresses from failed authentication attempts by writing iptables rules and alerts these events via email. On CentOS, Fail2ban is part of the EPEL repository.
It resolves remote IP address via whois. CentOS has pwhois (requires a symlink, ie: ln -s /usr/bin/pwhios /usr/bin/whois), but if you use jwhois, symlink isn’t needed.
To begin, install the following packages:
yum install fail2ban jwhois
Modify your monitoring actions under /etc/fail2ban/jail.conf and also mirror these changes to jail.local:
cat /etc/fail2ban/jail.conf > /etc/fail2ban/jail.local
service fail2ban stop
service fail2ban start
The global maxretry and bantime parameters are at the beginning of jail.conf. The value is in seconds;
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
To configure SSH monitoring:
enabled = true
filter = sshd
action = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, email@example.com, firstname.lastname@example.org, sendername="Fail2Ban"]
logpath = /var/log/secure
Enable Fail2Ban to monitor and block IP(s) from multiple failed login attempts. Configure Roundcube to enable logging and record login events, edit /etc/roundcubemal/config.ini.php:
// Enable system error reporting, sum of: 1 = log; 4 = show, 8 = trace
$config['debug_level'] = 8;
// Log logins
$config['log_logins'] = true;
Test that this is working by monitoring the log while logging in via Roundcube;
tail -f /var/log/roundcubemail/userlogins
Edit /etc/fail2ban/jail.conf. The 'ignoreip' parameter prevents Fail2Ban from blocking itself. Dovecot's filter's monitor both the /var/log/secure and maillog logs. Failed attempts will be recorded into these logs, which'll see and trigger Fail2Ban instate a bolck rule on it's own IP!
# "ignoreip" can be an IP address, a CIDR mask or a DNS host.
ignoreip = 127.0.0.1/8 188.8.131.52/32
The [roundcube] is denotes Roundcube's monitoring set up:
# Monitor roundcube server
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=roundcube, email@example.com, firstname.lastname@example.org, sendername="Fail2Ban"]
logpath = /var/log/roundcubemail/userlogins
Mirror the configuration to jail.local:
cat jail.conf > jail.local
Create a filter rule to inspect the 'userlogins' log:
Populate the following filter configuration:
# Fail2Ban configuration file for roundcube web server
before = common.conf[Definition]
failregex = Failed login for .*. from <HOST>
Restart the fail2ban service and test on a remote device (mobile) and simulate enough failed attempts to test the rule.