Mail servers are frequuently targeted by brute force attackers attempting to find passwords for the e-mail accounts. Usually, the brute force attack passes unnoticed, other times the load put into the system is so high that even legitimate mail can't pass and mail retrieval problems occur. To work out this kind of situations, a tool called fail2ban can be used to temporary block the network access of the attacker to e-mail service or even to the entire system.
Fail2ban reads the system logs, looks for specific patterns, and if a pattern referring to an attack is dentified, an action can be executed. A similar aproach is used by another tool called 'sshguard', but this tool is limited only to logs regarding SSH and is invoked as a pipe command by the system logger After identifying the pattern, sshguard can execute a simple action, like filling an ip address lookup table used by pf packet filter.
Fail2ban uses a different approach, the user can indicate precisely what files must be analyzed, what patterns to be searched and what actions to be executed.
After installation, the configuration files are located in the /usr/local/etc/fail2ban directory. The default installation includes a lot of files, but none specific to dovecot (or I wasn't able to identify it). Also, there is no action available for pf (OpenBSD Packet filter) in the default actions.d directory. So, these two must be created. I use pf to fitler traffic for this example server, populating a table called 'briteforcers' with IP addresses which must be blocked. The system packet filter configuration file defines a reference to the 'bruteforce' table and a rule which prevents traffic from the addresses listed in this table.
Below is the relevant content of /etc/pf.conf:
/etc/pf.conf: rules for Fail2ban
Of course, there may be other rules listed, but I listed here only the relevant ones.
And the configuration files for Fail2ban
The filter and action created above must be referenced from the fail2ban jail.conf file. At the same place is also referenced the log file containing the searched patterns.
additions to /usr/local/etc/fail2ban/jail.conf, to enable dovecot authentication checking and bloking with PF:
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/named/security.log
ignoreip = 18.104.22.168
And finally, all these must be put together:
- pf must be enabled and there must be defined some rules rules referring to the table 'bruteforce'
- fail2ban must be enabled: add to /etc/rc.conf a line containing 'fail2ban_enable="YES"'
- dovecot must be running and must have logging to syslog enabled (check for 'syslog_facility = mail' in /usr/local/etc/dovecot.conf)
- syslog must be enabled (default), and send messages with mail syslog facility to /var/log/maillog file. This is the default configuration on FreeBSD.
A similar approach could be used for ipfw users:
- create rules and an ipfw table, eg:
- create an action for ipfw (action.d/ipfw.conf), containing: