How to‎ > ‎

Secure a FreeBSD mail server running Dovecot with Fail2ban

Mail servers are frequuently targeted by brute force attackers attempting to find passwords for the e-mail accounts. Usually, the brute force attack passes unnoticed, other times the load put into the system is so high that even legitimate mail can't pass and mail retrieval problems occur. To work out this kind of situations, a tool called fail2ban can be used to temporary block the network access of the attacker to e-mail service or even to the entire system.

Fail2ban reads the system logs, looks for specific patterns, and if a pattern referring to an attack is dentified, an action can be executed. A similar aproach is used by another tool called 'sshguard', but this tool is limited only to logs regarding SSH and is invoked as a pipe command by the system logger After identifying the pattern, sshguard can execute a simple action, like filling an ip address lookup table used by pf packet filter.
Fail2ban uses a different approach, the user can indicate precisely what files must be analyzed, what patterns to be searched and what actions to be executed.


Integrating Fail2ban with FreeBSD and Dovecot ver. 1.2

At this time, fail2ban is available as a FreeBSD port, located in /usr/ports/security/py-fail2ban. Installation should be straightforward for portupgrade users:

# portupgrade -Np security/py-fail2ban

After installation, the configuration files are located in the /usr/local/etc/fail2ban directory. The default installation includes a lot of files, but none specific to dovecot (or I wasn't able to identify it). Also, there is no action available for pf (OpenBSD Packet filter) in the default actions.d directory. So, these two must be created. I use pf to fitler traffic for this example server, populating a table called 'briteforcers' with IP addresses which must be blocked. The system packet filter configuration file defines a reference to the 'bruteforce' table and a rule which prevents traffic from the addresses listed in this table.

Below is the relevant content of /etc/pf.conf:

/etc/pf.conf: rules for Fail2ban
# PF Table definition
table <bruteforce> file "/etc/firewall/bruteforce_attackers" persist
# In the rules section
block in quick inet from <bruteforce> to any

Of course, there may be other rules listed, but I listed here only the relevant ones.


And the configuration files for Fail2ban

/usr/local/etc/fail2ban/filter.d/dovecot-login.conf:
# Sample failed logins
# Apr 26 12:23:18 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<subscribe123@domain.tld>, method=PLAIN, rip=70.xx.xx.xx, lip=81.x.x.x
# Apr 26 15:40:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<kjhghgf@domain.tld>, method=PLAIN, rip=192.168.2.17, lip=81.x.x.x
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
# Alternate regex
#failregex = dovecot.*pop3-login.*auth failed.*rip=<HOST>.*
ignoreregex =


/usr/local/etc/fail2ban/action.d/pf.conf
[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
actioncheck =

actionban = pfctl -t bruteforce -T add  <ip>

# remove each ip separately
actionunban = pfctl -t bruteforce -T delete <ip>

[Init]
# File end



The filter and action created above must be referenced from the fail2ban jail.conf file. At the same place is also referenced the log file containing the searched patterns.

additions to /usr/local/etc/fail2ban/jail.conf, to enable dovecot authentication checking and bloking with PF:
....
[named-refused-tcp]


enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

[dovecot-pf]
enabled = true
filter = dovecot-login
action = pf
logpath = /var/log/maillog



And finally, all these must be put together:
- pf must be enabled and there must be defined some rules rules referring to the table 'bruteforce'
- fail2ban must be enabled: add to /etc/rc.conf a line containing 'fail2ban_enable="YES"'
- dovecot must be running and must have logging to syslog enabled (check for 'syslog_facility = mail' in /usr/local/etc/dovecot.conf)
- syslog must be enabled (default), and send messages with mail syslog facility to /var/log/maillog file. This is the default configuration on FreeBSD.

A similar approach could be used for ipfw users:
- create rules and an ipfw table, eg:
    ipfw table 10 add 127.0.0.2
    ipfw add 1 deny ip from table(10) to me
- create an action for ipfw (action.d/ipfw.conf), containing:
    actionban = ipfw table 10 add <ip>
    actionunban = ipfw table 10 delete <ip>
- modify jail.conf accordingly:
    [dovecot-ipfw]
    enabled = true
    filter = dovecot-login
    action = ipfw
    logpath = /var/log/maillog


To enable/disable the fail2ban service, the usual startup/shutdown sequence must be used:
/usr/local/etc/rc.d/fail2ban start


Comments