diff --git a/config-examples/fail2ban-jail.cf b/config-examples/fail2ban-jail.cf index 73b5bd47..6866ddf3 100644 --- a/config-examples/fail2ban-jail.cf +++ b/config-examples/fail2ban-jail.cf @@ -8,7 +8,7 @@ bantime = 1w findtime = 1w # "maxretry" is the number of failures before a host get banned. -maxretry = 2 +maxretry = 6 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses @@ -25,15 +25,12 @@ enabled = true [postfix] enabled = true -# See https://github.com/fail2ban/fail2ban/blob/27294c4b9ee5d5568a1d5f83af744ea39d5a1acb/config/filter.d/postfix.conf#L58 -# `mode=aggressive` basically combines more filters to match more lines, and hence, apply rules -# more aggressively. The same goes for the `postfix-sasl` jail. -mode = aggressive - +# For a reference on why this mode was chose, see +# https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760 +mode = extra [postfix-sasl] enabled = true -mode = aggressive # This jail is used for manual bans. # To ban an IP address use: setup.sh fail2ban ban diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index ae91d902..7a06fbf2 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -29,7 +29,7 @@ hide: ### DMS Defaults -DMS will automatically ban IP addresses of hosts that have generated 2 failed attempts over the course of the last week. The bans themselves last for one week. +DMS will automatically ban IP addresses of hosts that have generated 6 failed attempts over the course of the last week. The bans themselves last for one week. The Postfix jail is configured to use `mode = extra` in DMS. ### Custom Files @@ -39,10 +39,10 @@ This following configuration files inside the `docker-data/dms/config/` volume w 1. `fail2ban-jail.cf` is copied to `/etc/fail2ban/jail.d/user-jail.local` - with this file, you can adjust the configuration of individual jails and their defaults - - the is an example provided [in our repository on GitHub][github-file-f2bjail] + - there is an example provided [in our repository on GitHub][github-file-f2bjail] 2. `fail2ban-fail2ban.cf` is copied to `/etc/fail2ban/fail2ban.local` - with this file, you can adjust F2B behavior in general - - the is an example provided [in our repository on GitHub][github-file-f2bconfig] + - there is an example provided [in our repository on GitHub][github-file-f2bconfig] [docs-dms-config-volume]: ../../faq.md#what-about-the-docker-datadmsconfig-directory [github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf diff --git a/target/fail2ban/jail.local b/target/fail2ban/jail.local index 96f1d4f5..6866ddf3 100644 --- a/target/fail2ban/jail.local +++ b/target/fail2ban/jail.local @@ -8,7 +8,7 @@ bantime = 1w findtime = 1w # "maxretry" is the number of failures before a host get banned. -maxretry = 2 +maxretry = 6 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses @@ -25,14 +25,12 @@ enabled = true [postfix] enabled = true -# See https://github.com/fail2ban/fail2ban/blob/27294c4b9ee5d5568a1d5f83af744ea39d5a1acb/config/filter.d/postfix.conf#L58 -# `mode=aggressive` basically combines more filters to match more lines, and hence, apply rules -# more aggressively. The same goes for the `postfix-sasl` jail. -mode = aggressive +# For a reference on why this mode was chose, see +# https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760 +mode = extra [postfix-sasl] enabled = true -mode = aggressive # This jail is used for manual bans. # To ban an IP address use: setup.sh fail2ban ban