diff -urN smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh 2021-05-24 23:08:25.925992313 -0400 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh 2021-05-24 23:21:04.000000000 -0400 @@ -9,7 +9,7 @@ [ssh] enabled = true filter = sshd -logpath = /var/log/sshd/current +logpath = /var/log/sshd/sshd.log action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime] EOF @@ -21,7 +21,7 @@ [ssh-ddos] enabled = true filter = sshd-ddos -logpath = /var/log/sshd/current +logpath = /var/log/sshd/sshd.log action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime] EOF diff -urN smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service15dovecot smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service15dovecot --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service15dovecot 2021-05-24 23:08:25.925992313 -0400 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service15dovecot 2021-05-24 23:23:10.000000000 -0400 @@ -15,7 +15,7 @@ [imap] enabled = true filter = dovecot -logpath = /var/log/dovecot/current +logpath = /var/log/dovecot/dovecot.log action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime] EOF diff -urN smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd 2021-05-24 23:08:25.925992313 -0400 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd 2021-05-24 23:27:39.000000000 -0400 @@ -1,12 +1,12 @@ { -my $status = $smtpd{'status'} || 'disabled'; +my $status = $sqpsmtpd{'status'} || 'disabled'; my $f2b = $qpsmtpd{'Fail2Ban'} || 'enabled'; return "" if (($status ne 'enabled') || ($f2b ne 'enabled')); my @ports = (); -push @ports, ($smtpd{'TCPPort'} || '25'); -push @ports, ($ssmtpd{'TCPPort'} || '465') - if (($ssmtpd{'status'} || 'disabled') eq 'enabled'); +push @ports, ($qpsmtpd{'TCPPort'} || '25'); +push @ports, ($sqpsmtpd{'TCPPort'} || '465') + if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled'); my $port = join (",", @ports); my $max = $maxretry*3; diff -urN smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/sshd-ddos.conf smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/sshd-ddos.conf --- smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/sshd-ddos.conf 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/sshd-ddos.conf 2021-05-24 23:14:31.000000000 -0400 @@ -0,0 +1,28 @@ +# Fail2Ban ssh filter for at attempted exploit +# +# The regex here also relates to a exploit: +# +# http://www.securityfocus.com/bid/17958/exploit +# The example code here shows the pushing of the exploit straight after +# reading the server version. This is where the client version string normally +# pushed. As such the server will read this unparsible information as +# "Did not receive identification string". +# Author: Yaroslav Halchenko + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = sshd + +failregex = ^%(__prefix_line)sDid not receive identification string from \s*$ + +ignoreregex =. + +[Init] + +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd