1

-----------

Fail2ban for dovecot and postfix

https://www.epilis.gr/en/blog/2016/03/23/fail2ban-dovecot-and-postfix/

This example uses centos 5.x and logs security events to /var/log/secure and mail related events to /var/log/maillog 

Daemons used are dovecot for POP3/IMAP and postfix for SMTP.

Assuming you have fail2ban installed and running, so iptables.

Firstly add to /etc/fail2ban/jail.conf:

jail.conf

[sasl-iptables]   enabled  = true  filter   = sasl  backend  = polling  action   = iptables[name=sasl, port=smtp, protocol=tcp]             sendmail-whois[name=sasl, dest=admin@ourdomain.com]  logpath  = /var/log/maillog  bantime = 36000  maxretry = 2   [dovecot-secure]   enabled = true  filter = dovecot-secure  action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp]           sendmail-whois[name=Dovecot-Secure, dest=admin@ourdomain.com]  logpath = /var/log/secure  maxretry = 2  findtime = 600  bantime = 36000  ignoreip = 192.168.0.0/16 127.0.0.1   [dovecot-maillog]   enabled = true  filter = dovecot-maillog  action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp]           sendmail-whois[name=Dovecot-Maillog, dest=admin@ourdomain.com]  logpath = /var/log/maillog  maxretry = 2  findtime = 600  bantime = 36000  ignoreip = 192.168.0.0/16 127.0.0.1   [postfix]   enabled = true  filter = postfix  action = iptables-multiport[name=postfix, port="smtp,pop3,imap", protocol=tcp]           sendmail-whois[name=Postfix, dest=admin@ourdomain.com]  logpath = /var/log/maillog  maxretry = 2  findtime = 600  bantime = 36000  ignoreip = 192.168.0.0/16 127.0.0.1

Also you have to create the necessary filter rule files under /etc/fail2ban/filter.d 

dovecot-maillog.conf

[Definition]  # to test set up use this # /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf   failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*   ignoreregex = (?: Disconnected: Logged out).*   failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

dovecot-secure.conf

[Definition]  # to test set up use this # /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf   failregex =  (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)  failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)   ignoreregex = 

sasl.conf

# Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 728 $ #   [Definition]   # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The #          host must be matched by a group named "host". The tag "<HOST>" can #          be used for standard IP/hostname matching and is only an alias for #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex =  \[<HOST>\]: SASL login authentication failed  failregex =  \[<HOST>\]: SASL PLAIN authentication failed: authentication failure  failregex =  \[<HOST>\]: SASL LOGIN authentication failed: authentication failure    # Option:  ignoreregex # Notes.:  regex to ignore. If this regex matches, the line is ignored. # Values:  TEXT # ignoreregex = 

postfix.conf

# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ #   [Definition]   # Option:  failregex # Notes.:  regex to match the password failures messages in the logfile. The #          host must be matched by a group named "host". The tag "<HOST>" can #          be used for standard IP/hostname matching and is only an alias for #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values:  TEXT # #failregex = reject: RCPT from (.*)\[<HOST>\]: 554  failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1              reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1   # Option:  ignoreregex # Notes.:  regex to ignore. If this regex matches, the line is ignored. # Values:  TEXT #  ignoreregex = 

Fire fail2ban service and you are good to go

                  ----------------------------------XXXXXXXXXXX-----------------------------------------------------------------------------

Blocking brute force attacks to Dovecot on CentOS

Posted in March 2012 by Richard Holloway under sysadmin

Email accounts are generally protected using weak passwords, and yet those same email accounts are used for receiving password reminders, personal details, email to family and friends and so on.

It is also getting more common for people to leave email online in "the cloud" rather than download all mail using an email client. This combination makes a tempting target for attackers. If they can access your email, they can gain a great deal of useful information.

Aside from protecting privacy, brute force attacks against your server fill up the log files and waste server resources and in some cases can cause service disruption.

There are may ways to stop this problem escalating, one of the simplest is to use Fail2Ban.

Installing Fail2Ban on CentOS

To install fail2ban using Yum you will need to add a repository as Fail2Ban is not included in CentOS by default. ATrpms and rpmforge are both suitable.

Then as root, run:

yum install fail2ban            

Fail2Ban is not yet running. You can check this using

service fail2ban status            

Configuring Fail2Ban

Firstly we will tidy up the defaults. Edit /etc/fail2ban/fail2ban.conf and replace the email address of "dest" and "sender" to be the addresses you want the notification emails to go to and come from or else comment out the sendmail line if you do not wish to receive email notifications.

Next enable or disable other services that come with Fail2Ban that you want enabled or disabled, such as sshd, proftpd, exim etc.

I save my logs to /var/log/fail2ban.log. If you want to do this set the value of logtarget in /etc/fail2ban/fail2ban.conf

logtarget = /var/log/fail2ban.log            

Configuring Fail2Ban for Dovecot

Now we need to create new configuration files for Dovecot as this service is not configured out of the box.

vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf            

Add the following lines

[Definition] failregex = dovecot: auth-worker\(default\): sql\(.*,\): unknown user             dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[\]             dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]             dovecot: auth\(default\): passdb\(.*,\)\: Attempted login with password having illegal chars             dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]             dovecot: (pop3|imap)-login: Aborted login: .*, \[\] ignoreregex =            

Now open the existing /etc/fail2ban/jail.conf and add to the bottom the following lines

[dovecot-pop3imap] enabled  = true filter   = dovecot-pop3imap action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]            sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@example.com] logpath  = /var/log/maillog maxretry = 20 findtime = 1200 bantime  = 1200            

And change the values of dest and sender in the sendmail command.

And start Fail2Ban using:

service fail2ban start            

And make sure it is started at boot time

chkconfig fail2ban --level=235 on            

You should get an email stating "The jail dovecot-pop3imap has been started successfully.".

Running

service fail2ban status            

should show you

Status     |- Number of jail:    1     `- Jail list:        dovecot-pop3imap            

You can see the attacks getting blocked in /var/log/messages or /var/log/fail2ban.log depending on your value of logtarget in /etc/fail2ban/fail2ban.conf

          ---------------------------XXXXXXXXXXXXXXXXXXXXXXXXX_----------------------------

Using Fail2ban with Dovecot

If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.

Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:

[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =

Add the following to /etc/fail2ban/jail.conf:

[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200

(Set the logpath to wherever your syslog has been configured to log Dovecot's login messages.)

Note: The iptables-multiport action does not generally work with OpenVPS based VPS's due to a missing Kernel library.

            ----------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXX_-----------------------------

------------------