- Java 100%
| src/main | ||
| .gitignore | ||
| build.gradle | ||
| config.properties | ||
| README.md | ||
Description
Program to monitor attempts to access mail servers configured with dovecot and postfix using random passwords. After threshold.suspicious parameter login attempts, the IP address is reported to fail2ban for blocking. The last update checks whether the email contains viruses or malware using Amavis. If the email contains a virus and the sender is on my.domain, the sender is notified that the email has not been forwarded to the recipient.
Requirements
- Java 21 or higher
- Fail2Ban
- Amavis
Usage
-
Create a whitelist.txt file containing the IP addresses (one for line), e.g.
10.10.10.1 10.10.10.2
or network (in the form x.x.x.x/24, one for line) that will not be monitored by the program, e.g.
10.10.10.0/24
-
Create an empty security-events.log file
-
Create a config.properties file as the following example (set proper path):
# Log Files separated by comma log.files=/var/log/dovecot.log,/var/log/mail.log # File whitelist.txt whitelist.file=/path/to/whitelist.txt # File security-events.log security.events.file=/path/to/security-events.log # Threshold threshold.suspicious=2 # the domain from which you are sending the email my.domain=my domain # The mail server IP mail.server.ip=127.0.0.1 # The warning sender from.address=noreply@mydomain -
Run the program with
/path/to/java/bin/java -jar PostfixDovecotLogMonitor-<version>.jar config.properties
Enable fail2ban
Create the file:
/etc/fail2ban/filter.d/java-security.conf
with the following content:
[Definition]
failregex = IP=<HOST>
ignoreregex =
Modify or create the file:
/etc/fail2ban/jail.local
Add:
[java-security]
enabled = true
filter = java-security
logpath = /path/to/security-events.log
maxretry = 1
findtime = 60
bantime = 600
action = iptables-multiport
Restart fail2ban
sudo systemctl restart fail2ban
Verify
sudo fail2ban-client status java-security