2
----
Secure a CentOS 6 Mail server with Fail2ban
Fail2ban is a powerful tool, allowing a sysadmin to slow down brute force attacks. Most mail servers are frequently scanned for user+pasword combination, and if an attacker is able to retrieve it, then he/she can use your server to send SPAM, using the user and password combination found before.
Here comes into place fail2ban, which continuously read log files, and if a log contains a pattern indicating a failed attempt, then it will proceed with an action against the offending IP address.
Fail2ban installation on CentOS 6 is very simple, but it requires epel repository to be enabled. Executing yum install fail2ban will fetch the required files.
To combine fail2ban with dovecot version 2, a pattern match file must be created. The default location of fail2ban configuration files is /etc/fail2ban. The filters are located in /etc/fail2ban/filter.d.
Here is the pattern match file (sample regular expression taken from dovecot site, some names shortened):
filter.d/dovecot.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
If a offending host tries to authenticate too many times and it fails, then an action should be taken. I like blocking tcp connections from the offending host to the server. below is action.d/iptables-multiport-tcp.conf, a file wich is based on the original action.d/iptables-multiport.conf, with small adjustments:
Usually, an attacker will attempt to find passwords using SASL autnentication. Therefore, the SASL authentication mecnanism should be protected too.
When a failed SASL authentication attempt occurs, the SMTP agent will log an error. I usually use postfix for this purpose, so I will create a filter definition:
action.d/postfix-sasl.conf
# Fail2Ban configuration file
[Definition]
#Sample: Feb 5 14:26:24 localhost postfix/smtpd[23488]: warning: cust.static.213-180-183-101.cybernet.ch[213.180.183.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
failregex = .*postfix/\smtpd.*warning: .*\[<HOST>\]: SASL SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =
action.d/iptables-multiport-tcp.conf
[Definition]
actionstart = /sbin/iptables -N fail2ban-<name>
/bin/sleep 1
/sbin/iptables -A fail2ban-<name> -j RETURN
/bin/sleep 1
/sbin/iptables -I INPUT -p tcp -m multiport --dports <port> -j fail2ban-<name>
actionstop = /sbin/iptables -D INPUT -p tcp -m multiport --dports <port> -j fail2ban-<name>
/bin/sleep 1
/sbin/iptables -F fail2ban-<name>
/bin/sleep 1
/sbin/iptables -X fail2ban-<name>
actionban = /sbin/iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = /sbin/iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
The pattern match and the action are put together in /etc/fail2ban/jail.conf, creating a section for dovecot and one for postfix:
jail.conf
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport-tcp[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] mail[name=dovecot, dest=root]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 3
findtime = 300
bantime = 1800
[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables-multiport-tcp[name=postfix, port="smtp,smtps", protocol=tcp] mail[name=postfix, dest=root]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/maillog
maxretry = 3
findtime = 300
bantime = 1800
protocol = tcp
After a proper test, fail2ban must be started and activated on boot permanently:
# service fail2ban start
# chkconfig fail2ban on
-------------------------------------------Xxxxxxxxxxxxxxxxxxxxxxx----------------------------------------------------
You are here: start / fail2ban / templates / fail2ban / filter.d / postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]:(\d*?:)? SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko # Author: Wizardry and Steamworks
----------