3

--------

Block SMTP Authentication Attacks With Fail2Ban

Blocking SMTP authentication brute force attacks using Fail2Ban - Fail2Ban can be used to block brute force attacks against your mail server. The attackers are blocked by their source IP using iptables. Although it doesn't block SMTP attacks by default, Fail2Ban can be configured to do so.

Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts. It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it. It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.

obtain and install

First, you need to install Fail2Ban. For Redhat/Fedora use yum.

yum install fail2ban

CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.

wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm  rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm

You might have some dependencies to install, like

yum install gamin-python  wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm  rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm

These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.

ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly fromhttp://www.fail2ban.org

configure

Configuration for Fail2ban on a Redhat/Fedora/CentOS style distribution. This is using fail2ban with dovecot 2.x (versions 2 and above) - filtering and pattern matching.

First edit the dovecot.conf filter file.

vi ./fail2ban/filter.d

Next edit the postfix-sasl.conf and iptables-multiport-tcp.conf action files.

vi ./fail2ban/filter.d/postfix-sasl.conf  vi ./fail2ban/action.d/iptables-multiport-tcp.conf

Do not directly edit jail.conf. Comments in jail.conf clearly warn against modifications in jail.conf. Put your customizations in a jail.local file or a jail.d/customisation.local

cp ./fail2ban/jail.conf ./fail2ban/jail.local  vi ./fail2ban/jail.local

Important Configuration Parameters:

ignoreip = 127.0.0.1 192.168.254.0/24

Set the IP addresses of trusted hosts for fail2ban to ignore. Replace the 192x non-routable with the address of your machine or network. You can also add other trusted networks. Put your mom's IP address in there because sometimes she gets her password wrong more than 3 times in a row!

######################################################################

Fail2Ban is excellent software as it helps to deter those would brute force attacks on a server.

So first we need to enable the repo called epel, so as the root user:

OK we are ready to edit our config file so:

now we have our packages installed, we want to copy the config file and use the copy so we have a backup if we mess things up:

Now we are going to install fail2ban, we will also need the whois program so fail2ban can query ip whois database:

to

and change

Then in the text editor (I use nano) of your choice edit the repo to disable it (we only want to enable it to download any packages from it, this adds security):

1

2

1

1

1

1

1

1

nano /etc/fail2ban/jail.local

cp /etc/fail2ban/jail.conf /etc/fail2ban.local

yum --enablerepo=epel install fail2ban jwhois

enabled=0

enabled=1

nano /etc/yum.repos.d/epel.repo

wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum install epel-release-6-8.noarch.rpm

I normally leave the the defaults in place. So find the place where ‘[ssh-iptables]’ is located in the file.

This is already turned on but you will need to alter a few options. A quick review of the basic options are:

So with that in mind here are some rules for ssh, postfix, courier-imap and proftpd. Change ‘yourdomain.com’ to your actual server domain and ‘user@yourdomain.com’ to your email address you want the whois data sent to.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

[ssh-iptables]

 

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]

logpath = /var/log/secure

maxretry = 3

bantime = 43200

findtime = 43200

 

[postfix-iptables]

 

enabled = true

filter = postfix

action = iptables[name=Postfix, port=smtp, protocol=tcp]

sendmail-whois[name=Postfix, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]

logpath = /usr/local/psa/var/log/maillog

maxretry = 6

 

[courierimap-iptables]

 

enabled = true

filter = courierlogin

action = iptables-multiport[name=IMAP, port="110,995,143,993"]

sendmail-whois[name=IMAP, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]

logpath = /usr/local/psa/var/log/maillog

maxretry = 6

 

[proftpd-iptables]

 

enabled = true

filter = proftpd

action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=ProFTPD, dest=user@yourdomain.com]

logpath = /var/log/proftpd/auth.log

maxretry = 6

Now edit the following filters:

/etc/fail2ban/filter.d/courierlogin.conf

Change:

/etc/fail2ban/filter.d/proftpd.conf. Repalce the failregex with:

To:

1

1

1

failregex = \[<HOST>]\s+530$

LOGIN FAILED, ip=\[<HOST>]$

LOGIN FAILED, .*, ip=\[<HOST>\]$

Because Plesk doesn’t log failed auth attempts in proftpd, we have to make it do so.

/etc/proftpd.conf add:

Create a file in ‘/etc/logrotate.d’

create ‘proftpd’ directory in ‘/var/log’

1

2

1

1

touch /etc/logrotate.d/proftpd

mkdir /var/log/proftpd

ExtendedLog /var/log/proftpd/auth.log AUTH auth

LogFormat auth "%v %t \"%r\" [%h] %s"

and put this in it:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

/var/log/proftpd/auth.log

{

    weekly

    missingok

    rotate 7

    compress

    delaycompress

    notifempty

    create 640 root adm

    sharedscripts

    postrotate

    # reload could be not sufficient for all logs, a restart is safer

    /usr/bin/kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true

    endscript

}

Now restart fail2ban and proftpd:

1

2

service fail2ban restart

/etc/init.d/xinetd restart

Now you should have a more secure server. Enjoy!

########################################################################################

How to confiigure fail2ban to block Brute Force IP’s by scanning postfix logs

yum install fail2ban

The main configuration is stored in “/etc/fail2ban/jail.conf” and the filters use to scan logs are stored in the “/etc/fail2ban/filter.d” directory.

Open jail.conf file and add or modify the below lines.

[postfix-tcpwrapper]  enabled  = true filter   = postfix action   = hostsdeny[file=/etc/hosts.deny]            sendmail[name=Postfix, dest=you@yourdomain.com] logpath  = /var/log/postfix.log bantime  = -1

Below are the parameters and their meaning.

Enabled : Enable the filter via boolean True or false

Action : What action is to be taken on regex match, here the IP will be blocked via tcpwrappers and an mail will be sent to me

Logpath: path to the log file

BanTime: the amount of time you want to ban the IP, the value should be in seconds like 300, negative value means permanent ban.

You also need to change the below values in the jail.conf file

ignoreip = 127.0.0.1/8 findtime  = 300 maxretry = 5

Ignoreip: space separated list of ip’s to ignore, ensure you add your own 

FindTime: The amount of time in which the connections are made post which the IP gets blocked.

Maxretry: Once 5 failed attempts are made the connection is blocked

Now add the below filter in /etc/fail2ban/filter.d/postfix.conf below any current filters

failregex = warning: (.*)[]: SASL LOGIN authentication failed:

This tells fail2ban to check this particular line and ban the host IP.

that’s it

chkconfig on  servive fail2ban start

---------