Knowledge base → Protecting your mail server from guessing passwords with Fail2Ban

Let's configure Fail2Ban, this service allows you to protect the server from flooding, guessing passwords for services. Thousands of third-party services access servers every day, and some of them are malicious. With the help of Fail2Ban, we will block ip addresses after several unsuccessful authorization attempts.

This guide assumes that you have already configured the mail server itself and that you need to install protection against password guessing and other unwanted network activity. More information about setting up a mail server can be found here:

• Linux Debian 12 corporate mail server with pre-configured services

You can also order a VPS with a pre-configured operating system and get a ready-made corporate mail server for the price of a VPS server.

1. Install the Fail2Ban service 

apt install fail2ban

Let's edit the settings

vi /etc/fail2ban/jail.d/defaults-debian.conf

[sshd]
enabled = true
[postfix]
enabled = true
filter = postfix
port = smtp,465,submission,imap,imaps,pop3,pop3s
action = iptables[name=Postfix, port=smtp, protocol=tcp]
logpath = /var/log/mail.log
bantime = 120m
maxretry = 3
findtime = 60m

In this configuration, we have enabled the protection of the ssh and postfix services, which will process the log file and block ip addresses on several unsuccessful authorization attempts.

To check if a match works, use the command

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

We used a ready-made default filter and in our case it immediately turned out to be working.

2. Service start

systemctl enable --now fail2ban

We started the service and added it to autostart.

Now you can check the log:

more /var/log/fail2ban.log

3. Service Management

To view the status, as well as the latest activity, use the command

fail2ban-client status - It will show all jails and their status.

fail2ban-client status postfix - will show jail activity, including currently blocked ip addresses.

To unblock an ip address, use the command

fail2ban-client set postfix unbanip xxx.xxx.xxx.xxx

Where: postfix is the name of the jail, and xxx.xxx.xxx.xxx is the ip address from the list #fail2ban-client status postfix

4. Add jail for Rouncube authorization

Add to file

vi /etc/fail2ban/jail.d/defaults-debian.conf

[roundcube-auth]
enabled    = true
filter    = roundcube-auth
port    = http,https
action    = iptables[name=Roundcube-auth, port=http, protocol=tcp]
logpath    = /usr/share/nginx/html/webmail/logs/errors.log
bantime    = 120m
maxretry = 3
findtime = 60m

With three unsuccessful authorization attempts in web mail, we block access for 2 hours.

Let's restart the service:

service fail2ban restart

The filter setup is complete.