Fail2Ban

From QmailToaster
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Basic fail2ban installation and setup


Installation

Install EPEL Repos

  • For CentOS 5 i386:
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
  • For CentOS 4:
     # rpm -Uvh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-10.noarch.rpm

Instal fail2ban:

     # yum install fail2ban

Setup

To work with Qmail/vpopmail, a filter and jail should be defined.

Configure Filter

Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name

  • password-fail filter:
     # vi /etc/fail2ban/filter.d/password-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
  • username-notfound filter:
     # vi /etc/fail2ban/filter.d/username-notfound.conf 
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     ignoreregex = 
  • dos-hosts filter:
     # vi /etc/fail2ban/filter.d/dos-hosts.conf 
     [Definition]
     failregex = rblsmtpd: <HOST> .*: 451 Blocked
          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
      .* rblsmtpd: <HOST>
  • vpopmail filter:
     # vi /etc/fail2ban/filter.d/vpopmail.conf:
     # Fail2Ban configuration file
     # Author: Christoph Haas
     # Modified by: Ole Johansen - CDS
     # $Revision: 510 $
     
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile. 
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     
     failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
     
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     
     ignoreregex =
  • squirrelmail filter:
     # vi /etc/fail2ban/filter.d/squirrelmail.conf
     # squirrelmail's Fail2Ban configuration file
     # you must install the squirrel_logger plugin into Squirrelmail
     # to use this filter/jail
     
     [Definition]
     # the failregex value must match the line written in squirrelmail.log
     # the example below is using Italian
     failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
     ignoreregex =

Configure Jail

Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file

     # vi /etc/fail2ban/jail.conf  
     # password-fail
     [password-fail]
     enabled  = true
     filter   = password-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # username-notfound
     [username-notfound]
     enabled = true
     filter = username-notfound
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
     # dos-hosts - Hosts insisting on delivering spam
     [dos-hosts]
     enabled = true
     filter = dos-hosts
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/qmail/smtp/current
     maxretry = 5
     bantime  = 86400
     findtime = 3600
     # vpopmail
     [vpopmail]
     enabled = true
     port = pop3
     filter = vpopmail
     action = iptables[name=pop3, port=pop3, protocol=tcp]
            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
     logpath = /var/log/maillog
     maxretry = 3
     bantime = -1
     # squirrelmail
     [squirrelmail-iptables]
     enabled  = true
     filter   = squirrelmail
     action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
     # adjust logpath with Squirrelmail's squirrel_logger plugin log
     logpath  = /var/log/squirrelmail.log
     maxretry = 5

Test Filter

Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):

     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
     Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)

Reload Config

     # fail2ban-client stop
     # fail2ban-client start

Check Jail Status

     # fail2ban-client status password-fail
     Status for the jail: password-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109


Note

Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

  • Before changes, write existing iptables rules to file
     # service iptables save
  • And after any change load the saved set of rules
     # service iptables restart
  • Tune fail2ban to write IPs to /etc/fail2ban/ip.deny

Basic admin stuff

  • Check banned IPs:
    • from fail2ban:
        # fail2ban-client status vpopmail-fail
    • from current iptables rules:
        # iptables -L -nv
    • To see IPs that fail2ban is saving for the next reload:
        # cat /etc/fail2ban/ip.deny
  • How to unblock an IP:
    • Delete it from the current iptables rules:
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
    • Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
    • Remove it from /etc/sysconfig/iptables (maybe listed several times).

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org