How to‎ > ‎

Secure a CentOS 6 Mail server with Fail2ban

Fail2ban is a powerful tool, allowing a sysadmin to slow down brute force attacks. Most mail servers are frequently scanned for user+pasword combination, and if an attacker is able to retrieve it, then he/she can use your server to send SPAM, using the user and password combination found before.
Here comes into place fail2ban, which continuously read log files, and if a log contains a pattern indicating a failed attempt, then it will proceed with an action against the offending IP address.

Fail2ban installation on CentOS 6 is very simple, but it requires epel repository to be enabled. Executing yum install fail2ban will fetch the required files.

To combine fail2ban with dovecot version 2, a pattern match file must be created. The default location of fail2ban configuration files is /etc/fail2ban. The filters are located in /etc/fail2ban/filter.d.
Here is the pattern match file (sample regular expression taken from dovecot site, some names shortened):

filter.d/dovecot.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

If a offending host tries to authenticate too many times and it fails, then an action should be taken. I like blocking tcp connections from the offending host to the server. below is action.d/iptables-multiport-tcp.conf, a file wich is based on the original action.d/iptables-multiport.conf, with small adjustments:


Usually, an attacker will attempt to find passwords using SASL autnentication. Therefore, the SASL authentication mecnanism should be protected too.
When a failed SASL authentication attempt occurs, the SMTP agent will log an error. I usually use postfix for this purpose, so I will create a filter definition:

action.d/postfix-sasl.conf

# Fail2Ban configuration file

[Definition]

#Sample: Feb  5 14:26:24 localhost postfix/smtpd[23488]: warning: cust.static.213-180-183-101.cybernet.ch[213.180.183.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
failregex = .*postfix/\smtpd.*warning: .*\[<HOST>\]: SASL SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

ignoreregex =



action.d/iptables-multiport-tcp.conf

[Definition]

actionstart = /sbin/iptables -N fail2ban-<name>
    /bin/sleep 1
    /sbin/iptables -A fail2ban-<name> -j RETURN
    /bin/sleep 1
    /sbin/iptables -I INPUT -p tcp -m multiport --dports <port> -j fail2ban-<name>

actionstop = /sbin/iptables -D INPUT -p tcp -m multiport --dports <port> -j fail2ban-<name>
    /bin/sleep 1
    /sbin/iptables -F fail2ban-<name>
    /bin/sleep 1
    /sbin/iptables -X fail2ban-<name>




actionban = /sbin/iptables -I fail2ban-<name> 1 -s <ip> -j DROP

actionunban = /sbin/iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

name = default
port = ssh
protocol = tcp


The pattern match and the action are put together in /etc/fail2ban/jail.conf, creating a section for dovecot and one for postfix:

jail.conf

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport-tcp[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] mail[name=dovecot, dest=root]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 3
findtime = 300
bantime = 1800

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables-multiport-tcp[name=postfix, port="smtp,smtps", protocol=tcp] mail[name=postfix, dest=root]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 3
findtime = 300
bantime = 1800
protocol = tcp


After a proper test, fail2ban must be started and activated on boot permanently:

# service fail2ban start

# chkconfig fail2ban on
Comments