3
--------
Block SMTP Authentication Attacks With Fail2Ban
Blocking SMTP authentication brute force attacks using Fail2Ban - Fail2Ban can be used to block brute force attacks against your mail server. The attackers are blocked by their source IP using iptables. Although it doesn't block SMTP attacks by default, Fail2Ban can be configured to do so.
Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts. It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it. It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.
obtain and install
First, you need to install Fail2Ban. For Redhat/Fedora use yum.
yum install fail2ban
CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.
wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm
You might have some dependencies to install, like
yum install gamin-python wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm
These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly fromhttp://www.fail2ban.org
configure
Configuration for Fail2ban on a Redhat/Fedora/CentOS style distribution. This is using fail2ban with dovecot 2.x (versions 2 and above) - filtering and pattern matching.
configuration files: ./fail2ban
regex filters: ./fail2ban/filter.d
action file (do/block): ./fail2ban/action.d
First edit the dovecot.conf filter file.
vi ./fail2ban/filter.d
Next edit the postfix-sasl.conf and iptables-multiport-tcp.conf action files.
vi ./fail2ban/filter.d/postfix-sasl.conf vi ./fail2ban/action.d/iptables-multiport-tcp.conf
Do not directly edit jail.conf. Comments in jail.conf clearly warn against modifications in jail.conf. Put your customizations in a jail.local file or a jail.d/customisation.local
cp ./fail2ban/jail.conf ./fail2ban/jail.local vi ./fail2ban/jail.local
Important Configuration Parameters:
ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in "./fail2ban/filter.d".
logpath: The log file that fail2ban checks for failed login attempts.
ignoreip = 127.0.0.1 192.168.254.0/24
Set the IP addresses of trusted hosts for fail2ban to ignore. Replace the 192x non-routable with the address of your machine or network. You can also add other trusted networks. Put your mom's IP address in there because sometimes she gets her password wrong more than 3 times in a row!
######################################################################
Fail2Ban is excellent software as it helps to deter those would brute force attacks on a server.
So first we need to enable the repo called epel, so as the root user:
OK we are ready to edit our config file so:
now we have our packages installed, we want to copy the config file and use the copy so we have a backup if we mess things up:
Now we are going to install fail2ban, we will also need the whois program so fail2ban can query ip whois database:
to
and change
Then in the text editor (I use nano) of your choice edit the repo to disable it (we only want to enable it to download any packages from it, this adds security):
1
2
1
1
1
1
1
1
nano /etc/fail2ban/jail.local
cp /etc/fail2ban/jail.conf /etc/fail2ban.local
yum --enablerepo=epel install fail2ban jwhois
enabled=0
enabled=1
nano /etc/yum.repos.d/epel.repo
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install epel-release-6-8.noarch.rpm
I normally leave the the defaults in place. So find the place where ‘[ssh-iptables]’ is located in the file.
This is already turned on but you will need to alter a few options. A quick review of the basic options are:
enabled : Whether to turn the filter on or off.
filter : Which filter to use located in ‘/etc/fail2ban/filter.d’.
action : The action to take located in ‘/etc/fail2ban/action.d’.
logpath : Where the log to scan is located.
maxretry : the number of times a login attempt can be made before a ban.
bantime : How long the ban will last in seconds.
findtime : The ban is reset if no match is found within “findtime” seconds.
So with that in mind here are some rules for ssh, postfix, courier-imap and proftpd. Change ‘yourdomain.com’ to your actual server domain and ‘user@yourdomain.com’ to your email address you want the whois data sent to.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 3
bantime = 43200
findtime = 43200
[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6
[courierimap-iptables]
enabled = true
filter = courierlogin
action = iptables-multiport[name=IMAP, port="110,995,143,993"]
sendmail-whois[name=IMAP, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=user@yourdomain.com]
logpath = /var/log/proftpd/auth.log
maxretry = 6
Now edit the following filters:
/etc/fail2ban/filter.d/courierlogin.conf
Change:
/etc/fail2ban/filter.d/proftpd.conf. Repalce the failregex with:
To:
1
1
1
failregex = \[<HOST>]\s+530$
LOGIN FAILED, ip=\[<HOST>]$
LOGIN FAILED, .*, ip=\[<HOST>\]$
Because Plesk doesn’t log failed auth attempts in proftpd, we have to make it do so.
/etc/proftpd.conf add:
Create a file in ‘/etc/logrotate.d’
create ‘proftpd’ directory in ‘/var/log’
1
2
1
1
touch /etc/logrotate.d/proftpd
mkdir /var/log/proftpd
ExtendedLog /var/log/proftpd/auth.log AUTH auth
LogFormat auth "%v %t \"%r\" [%h] %s"
and put this in it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/var/log/proftpd/auth.log
{
weekly
missingok
rotate 7
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
# reload could be not sufficient for all logs, a restart is safer
/usr/bin/kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true
endscript
}
Now restart fail2ban and proftpd:
1
2
service fail2ban restart
/etc/init.d/xinetd restart
Now you should have a more secure server. Enjoy!
########################################################################################
How to confiigure fail2ban to block Brute Force IP’s by scanning postfix logs
yum install fail2ban
The main configuration is stored in “/etc/fail2ban/jail.conf” and the filters use to scan logs are stored in the “/etc/fail2ban/filter.d” directory.
Open jail.conf file and add or modify the below lines.
[postfix-tcpwrapper] enabled = true filter = postfix action = hostsdeny[file=/etc/hosts.deny] sendmail[name=Postfix, dest=you@yourdomain.com] logpath = /var/log/postfix.log bantime = -1
Below are the parameters and their meaning.
Enabled : Enable the filter via boolean True or false
Action : What action is to be taken on regex match, here the IP will be blocked via tcpwrappers and an mail will be sent to me
Logpath: path to the log file
BanTime: the amount of time you want to ban the IP, the value should be in seconds like 300, negative value means permanent ban.
You also need to change the below values in the jail.conf file
ignoreip = 127.0.0.1/8 findtime = 300 maxretry = 5
Ignoreip: space separated list of ip’s to ignore, ensure you add your own
FindTime: The amount of time in which the connections are made post which the IP gets blocked.
Maxretry: Once 5 failed attempts are made the connection is blocked
Now add the below filter in /etc/fail2ban/filter.d/postfix.conf below any current filters
failregex = warning: (.*)[]: SASL LOGIN authentication failed:
This tells fail2ban to check this particular line and ban the host IP.
that’s it
chkconfig on servive fail2ban start
---------