1

Topic: Block IP class if too many auth failures?

Hi.

Is there any way in iRedOS to block a class of IPs if too many SMTP/POP3/IMAP authentication failures from that class? I had today a lot of tries from one IP, probably to hyjack mail accounts... I saw the attacker trying all possible combinations of username, probably with a dictionary attack...

Thanks.

2

Re: Block IP class if too many auth failures?

fail2ban can do that (and more: ssh ...)
For integration see http://www.fail2ban.org/wiki/index.php/Main_Page

3 (edited by maxie_ro 2009-10-19 20:24:27)

Re: Block IP class if too many auth failures?

Thank you, this fail2ban is exactly what I needed. It works flawlessly. I also put a rule for roundcube log, and created a patch for roundcube to show IP for authentication failures, so I can get that too.

ZhangHuangbin, you should consider adding this to iRedOS. tongue

4

Re: Block IP class if too many auth failures?

It's on my TODO list, but i don't have time to integrate it now.

Will you share you doc? so that i can easily integrate it into iRedMail/iRedOS tongue

5

Re: Block IP class if too many auth failures?

Of course. This is how I did it:

1. Get the EPEL package (epel-release-5-3.noarch.rpm) and install it for quick access to EPEL repo.

2. Install gamin-python, with dependencies (gamin itself, etc.).

3. Install shorewall from EPEL (better support for iptables then iptables command line itself).

4. Configure shorewall (enabled: yes, accept from outside only ssh/pop/smtp/imap, check the files).

5. Install fail2ban from EPEL.

6. Configure fail2ban to listen to 4 sources in 3 log files (one of which is Roundcube, but you need to patch it to work).

I will attach the config files in the zip.

What's in the zip:

/shorewall - should go in /etc/shorewall; mostly as in docs, but I added zone "loop" for loopback, ACCEPT ALL;
Allow only what's needed for incoming (LDAP is commented out cause I don't use it), everything else DROP
For outgoing, accept all.

/fail2ban - should go in /etc/fail2ban, in corresponding dirs
For the filter for postfix (from /var/log/maillog), I modifies the syntax to only ban in case of 5xx codes, *NOT* 4xx, otherwise I will accidentally ban everyone because of greylisting and other temporary errors wink
For SASL I modified the syntax, the original one didn't work with iRedOS.
The syntax for SSHD is the same, but I include it because I modified the Jail.
The syntax for Roundcube is made by me, but caution: it won't work without this patch to roundcube 0.3-stable.

Have fun.

Post's attachments

fail2ban_shorewall_conf.zip 10.84 kb, 17 downloads since 2009-10-19 

You don't have the permssions to download the attachments of this post.

6

Re: Block IP class if too many auth failures?

Oh, and something else:

I put the config for fail2ban to ban the IP after only 5 authentication failures, for 12 hours, no matter which is the source (ssh, sasl, postfix or roundcube). Some will find this too paranoid...

7

Re: Block IP class if too many auth failures?

Got it. I will try to make it work for me first, and then try to integrate it as an optional components in iRedMail and iRedOS. Just be patient.

And if you are familar with Bash shell script, you can write script directly, so that we can have it in iRedMail/iRedOS quickly. tongue

8 (edited by maxie_ro 2009-10-19 21:57:55)

Re: Block IP class if too many auth failures?

Let's just say I don't consider bash/sh scripting to be one of my strongest points...

But out of curiosity, what do you need a script for? To automate the process for the script which is run after the main CentOS installation?

P.S.

Forgot to say, but to check that shorewall is really working you should delete everything from /etc/sysconfig/iptales. Shorewall will send it's own rules, so I put the ones to allow SSH/POP/IMAP/SMTP/HTTP in it's own config file and cleared the iptables. Take care not to lock yourself out of your own server, this can happen very fast with shorewall.

Oh, and I setup my SSHD to listen on another port than 22, you will see than in the configs (13xx).

9

Re: Block IP class if too many auth failures?

maxie_ro wrote:

But out of curiosity, what do you need a script for? To automate the process for the script which is run after the main CentOS installation?

iRedMail is a set of shell scripts, each script is used to install and configure component automaticly. smile