1
-----------
Fail2ban for dovecot and postfix
https://www.epilis.gr/en/blog/2016/03/23/fail2ban-dovecot-and-postfix/
This example uses centos 5.x and logs security events to /var/log/secure and mail related events to /var/log/maillog
Daemons used are dovecot for POP3/IMAP and postfix for SMTP.
Assuming you have fail2ban installed and running, so iptables.
Firstly add to /etc/fail2ban/jail.conf:
jail.conf
[sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=admin@ourdomain.com] logpath = /var/log/maillog bantime = 36000 maxretry = 2 [dovecot-secure] enabled = true filter = dovecot-secure action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Dovecot-Secure, dest=admin@ourdomain.com] logpath = /var/log/secure maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1 [dovecot-maillog] enabled = true filter = dovecot-maillog action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Dovecot-Maillog, dest=admin@ourdomain.com] logpath = /var/log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1 [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Postfix, dest=admin@ourdomain.com] logpath = /var/log/maillog maxretry = 2 findtime = 600 bantime = 36000 ignoreip = 192.168.0.0/16 127.0.0.1
Also you have to create the necessary filter rule files under /etc/fail2ban/filter.d
dovecot-maillog.conf
[Definition] # to test set up use this # /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).* failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
dovecot-secure.conf
[Definition] # to test set up use this # /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf failregex = (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) ignoreregex =
sasl.conf
# Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex = \[<HOST>\]: SASL login authentication failed failregex = \[<HOST>\]: SASL PLAIN authentication failed: authentication failure failregex = \[<HOST>\]: SASL LOGIN authentication failed: authentication failure # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
postfix.conf
# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = reject: RCPT from (.*)\[<HOST>\]: 554 failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Fire fail2ban service and you are good to go
----------------------------------XXXXXXXXXXX-----------------------------------------------------------------------------
Blocking brute force attacks to Dovecot on CentOS
Posted in March 2012 by Richard Holloway under sysadmin
Email accounts are generally protected using weak passwords, and yet those same email accounts are used for receiving password reminders, personal details, email to family and friends and so on.
It is also getting more common for people to leave email online in "the cloud" rather than download all mail using an email client. This combination makes a tempting target for attackers. If they can access your email, they can gain a great deal of useful information.
Aside from protecting privacy, brute force attacks against your server fill up the log files and waste server resources and in some cases can cause service disruption.
There are may ways to stop this problem escalating, one of the simplest is to use Fail2Ban.
Installing Fail2Ban on CentOS
To install fail2ban using Yum you will need to add a repository as Fail2Ban is not included in CentOS by default. ATrpms and rpmforge are both suitable.
Then as root, run:
yum install fail2ban
Fail2Ban is not yet running. You can check this using
service fail2ban status
Configuring Fail2Ban
Firstly we will tidy up the defaults. Edit /etc/fail2ban/fail2ban.conf and replace the email address of "dest" and "sender" to be the addresses you want the notification emails to go to and come from or else comment out the sendmail line if you do not wish to receive email notifications.
Next enable or disable other services that come with Fail2Ban that you want enabled or disabled, such as sshd, proftpd, exim etc.
I save my logs to /var/log/fail2ban.log. If you want to do this set the value of logtarget in /etc/fail2ban/fail2ban.conf
logtarget = /var/log/fail2ban.log
Configuring Fail2Ban for Dovecot
Now we need to create new configuration files for Dovecot as this service is not configured out of the box.
vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Add the following lines
[Definition] failregex = dovecot: auth-worker\(default\): sql\(.*,\): unknown user dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[\] dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\] dovecot: auth\(default\): passdb\(.*,\)\: Attempted login with password having illegal chars dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\] dovecot: (pop3|imap)-login: Aborted login: .*, \[\] ignoreregex =
Now open the existing /etc/fail2ban/jail.conf and add to the bottom the following lines
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@example.com] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
And change the values of dest and sender in the sendmail command.
And start Fail2Ban using:
service fail2ban start
And make sure it is started at boot time
chkconfig fail2ban --level=235 on
You should get an email stating "The jail dovecot-pop3imap has been started successfully.".
Running
service fail2ban status
should show you
Status |- Number of jail: 1 `- Jail list: dovecot-pop3imap
You can see the attacks getting blocked in /var/log/messages or /var/log/fail2ban.log depending on your value of logtarget in /etc/fail2ban/fail2ban.conf
---------------------------XXXXXXXXXXXXXXXXXXXXXXXXX_----------------------------
Using Fail2ban with Dovecot
If you're using Dovecot v1.1 or older, you need to log via syslog. Otherwise log files contain "dovecot: " prefix, which fail2ban doesn't like. v1.2+ no longer have this prefix. You can use syslogging by setting log_path to empty value in dovecot.conf.
Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
Add the following to /etc/fail2ban/jail.conf:
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
(Set the logpath to wherever your syslog has been configured to log Dovecot's login messages.)
Note: The iptables-multiport action does not generally work with OpenVPS based VPS's due to a missing Kernel library.
----------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXX_-----------------------------
------------------