Program to monitor login attempts using random passwords. IP blocking after 3 attempts via fail2ban.
- Java 100%
| src/main/java | ||
| .gitignore | ||
| build.gradle | ||
| config.properties | ||
| README.md | ||
Description
Program to monitor attempts to access mail servers configured with dovecot and postfix using random passwords. After threshold.suspicious parameter login attempts, the IP address is reported to fail2ban for blocking.
Requirements
- Java 21 or higher
- Fail2Ban
Usage
-
Create a whitelist.txt file containing the IP addresses (one for line), e.g.
10.10.10.1 10.10.10.2
or network (in the form x.x.x.x/24, one for line) that will not be monitored by the program, e.g.
10.10.10.0/24
-
Create an empty security-events.log file
-
Create a config.properties file as the following example (set proper path):
# Log Files separated by comma log.files=/var/log/dovecot.log,/var/log/mail.log # File whitelist.txt whitelist.file=/path/to/whitelist.txt # File security-events.log security.events.file=/path/to/security-events.log # Threshold threshold.suspicious=3 -
Run the program with
/path/to/java/bin/java -jar PostfixDovecotLogMonitor-<version>.jar config.properties
Enable fail2ban
Create the file:
/etc/fail2ban/filter.d/java-security.conf
with the following content:
[Definition]
failregex = IP=<HOST>
ignoreregex =
Modify or create the file:
/etc/fail2ban/jail.local
Add:
[java-security]
enabled = true
filter = java-security
logpath = /path/to/security-events.log
maxretry = 1
findtime = 60
bantime = 600
action = iptables-multiport
Restart fail2ban
sudo systemctl restart fail2ban
Verify
sudo fail2ban-client status java-security
Logrotate
To avoid that security-events.log become too large, enable logrotate for this file.
Create the file
/etc/logrotate.d/java-security
with the following content:
/path/to/security-events.log {
weekly
rotate 12
compress
missingok
notifempty
copytruncate
}