From iRedMail

Current revision as of 01:57, 5 September 2012

Doesn't work on FreeBSD yet.

Summary

Fail2ban scans log files like /var/log/maillog or /var/log/auth.log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

We can use Fail2ban to ban IP addresses which who want to crack your mail accounts.

Install Fail2ban

• On RHEL/CentOS, you can install fail2ban with iRedMail yum repository, it's enabled by default.

# yum install fail2ban
# chkconfig --level 345 fail2ban on

• On Debian/Ubuntu, you can install fail2ban with official repository:

# apt-get install fail2ban
# update-rc.d fail2ban defaults

• On openSUSE, you can install fail2ban with iRedMail repository, it's enabled by default.

# zypper install fail2ban
# insserv fail2ban

• On FreeBSD, you can install fail2ban with ports tree:

# cd /usr/ports/security/py-fail2ban
# make install clean
# echo 'fail2ban_enable="YES"' >> /etc/rc.conf

On Linux:

• major configure files of Fail2ban are:
  • /etc/fail2ban/fail2ban.conf
  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/filter.d/*.conf
• Script used to start/stop Fail2ban service: /etc/init.d/fail2ban
• Fail2ban will read user custom config file "/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.

On FreeBSD:

• major configure files of Fail2ban are:
  • /usr/local/etc/fail2ban/fail2ban.conf
  • /usr/local/etc/fail2ban/jail.conf
  • /usr/local/etc/fail2ban/filter.d/*.conf
• Script used to start/stop Fail2ban service: /usr/local/etc/rc.d/fail2ban
• Fail2ban will read user custom config file "/usr/local/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.

Configure Fail2ban

We will configure Fail2ban to protect 4 services: ssh, smtp, pop3/imap and webmail.

Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban.

• /etc/fail2ban/filter.d/roundcube.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/roundncube.iredmail.conf (FreeBSD):

[Definition]
failregex = roundcube: (.*) Error: Login failed for (.*) from <HOST>\.
ignoreregex =

• /etc/fail2ban/filter.d/dovecot.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/dovecot.iredmail.conf (FreeBSD):

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

• /etc/fail2ban/filter.d/postfix.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/postfix.iredmail.conf (FreeBSD):

[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
ignoreregex =

We now have 3 new filter files, it's time to let Fail2ban use them. Since ssh filter is enabled by default, we don't need to touch any config files, so we just need to create "/etc/fail2ban/jail.local" (Linux) or "/usr/local/etc/fail2ban/jail.local" (FreeBSD) to enable these 3 new filters.

Note:

• You may need to change "logpath" of roundcube and postfix filter on different Linux/BSD.
  • On RHEL/CentOS, it's "/var/log/maillog".
  • On Debian/Ubuntu, it's "/var/log/mail.log".
  • On openSUSE, it's "/var/log/mail".
  • On FreeBSD, it's "/var/log/maillog".

• /etc/fail2ban/jail.local (Linux) or /usr/local/etc/fail2ban/jail.local (FreeBSD):

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/maillog
findtime    = 3600
maxretry    = 5
# attention: time is in seconds - the value of 3600 means ONE hour
# maybe you want to change it to 60 for testing
bantime     = 3600
ignoreip    = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/dovecot.log
maxretry    = 5
findtime    = 300
# attention: time is in seconds - the value of 3600 means ONE hour
# maybe you want to change it to 60 for testing
bantime     = 3600
ignoreip    = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]

# You may need to change "logpath" of roundcube and postfix filter on different Linux/BSD.
# On RHEL/CentOS, it's "/var/log/maillog".
# On Debian/Ubuntu, it's "/var/log/mail.log".
# On openSUSE, it's "/var/log/mail".
# On FreeBSD, it's "/var/log/maillog".
logpath     = /var/log/maillog
# attention: time is in seconds - the value of 3600 means ONE hour
# maybe you want to change it to 60 for testing
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Restart fail2ban service to make it work:

• On Linux:

# /etc/init.d/fail2ban restart

• On FreeBSD:

# /usr/local/etc/rc.d/fail2ban restart

Testing

You can use command "fail2ban-regex" to verify filter. For example:

# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/roundcube.iredmail.conf
[…]
Success, the total number of match is 3
[…]

# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.iredmail.conf
[…]
Success, the total number of match is 3
[…]

# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf
[…]
Success, the total number of match is 3
[…]

Troubleshooting