Addition/Harden.iRedMail.with.Fail2ban

From iRedMail
(Difference between revisions)
Jump to: navigation, search
(cve better at end + add support)
 

Latest revision as of 21:11, 1 February 2014

Contents



Doesn't work on FreeBSD yet.


[edit] Summary

Fail2ban scans log files like /var/log/maillog or /var/log/auth.log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

We can use Fail2ban to ban IP addresses which who want to crack your mail accounts.

[edit] Install Fail2ban

  • On RHEL/CentOS, you can install fail2ban with iRedMail yum repository, it's enabled by default.
Terminal:
# yum install fail2ban
# chkconfig --level 345 fail2ban on
  • On Debian/Ubuntu, you can install fail2ban with official repository:
Terminal:
# apt-get install fail2ban
# update-rc.d fail2ban defaults
  • On openSUSE, you can install fail2ban with iRedMail repository, it's enabled by default.
Terminal:
# zypper install fail2ban
# insserv fail2ban
  • On FreeBSD, you can install fail2ban with ports tree:
Terminal:
# cd /usr/ports/security/py-fail2ban
# make install clean
# echo 'fail2ban_enable="YES"' >> /etc/rc.conf

On Linux:

  • major configure files of Fail2ban are:
    • /etc/fail2ban/fail2ban.conf
    • /etc/fail2ban/jail.conf
    • /etc/fail2ban/filter.d/*.conf
  • Script used to start/stop Fail2ban service: /etc/init.d/fail2ban
  • Fail2ban will read user custom config file "/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.


On FreeBSD:

  • major configure files of Fail2ban are:
    • /usr/local/etc/fail2ban/fail2ban.conf
    • /usr/local/etc/fail2ban/jail.conf
    • /usr/local/etc/fail2ban/filter.d/*.conf
  • Script used to start/stop Fail2ban service: /usr/local/etc/rc.d/fail2ban
  • Fail2ban will read user custom config file "/usr/local/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.

[edit] Configure Fail2ban

We will configure Fail2ban to protect 4 services: ssh, smtp, pop3/imap and webmail.

Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban.

  • /etc/fail2ban/filter.d/roundcube-auth.conf (Linux) or /usr/local/etc/fail2ban/filter.d/roundncube-auth.conf (FreeBSD):

If the package doesn't include one you can get the latest filter from https://raw.github.com/fail2ban/fail2ban/master/config/filter.d/roundcube-auth.conf

  • /etc/fail2ban/filter.d/dovecot.conf (Linux) or /usr/local/etc/fail2ban/filter.d/dovecot.conf (FreeBSD):

If the package doesn't include one you can get the latest filter from https://raw.github.com/fail2ban/fail2ban/master/config/filter.d/dovecot.conf

  • /etc/fail2ban/filter.d/postfix-sasl.conf (Linux) or /usr/local/etc/fail2ban/filter.d/postfix-sasl.conf (FreeBSD):

If the package doesn't include one you can get the latest filter from https://raw.github.com/fail2ban/fail2ban/master/config/filter.d/postfix-sasl.conf

We now have 3 new filter files, it's time to let Fail2ban use them. Since ssh filter is enabled by default, we don't need to touch any config files, so we just need to create "/etc/fail2ban/jail.local" (Linux) or "/usr/local/etc/fail2ban/jail.local" (FreeBSD) to enable these 3 new filters.

Note:

  • You may need to change "logpath" of roundcube and postfix filter on different Linux/BSD.
    • On RHEL/CentOS, it's "/var/log/maillog".
    • On Debian/Ubuntu, it's "/var/log/mail.log".
    • On openSUSE, it's "/var/log/mail".
    • On FreeBSD, it's "/var/log/maillog".
  • /etc/fail2ban/jail.local (Linux) or /usr/local/etc/fail2ban/jail.local (FreeBSD):
File: jail.local
[DEFAULT]
# attention: time is in seconds - the value of 3600 means ONE hour
# maybe you want to change it to 60 for testing
bantime     = 3600
ignoreip    = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[roundcube-iredmail]
enabled     = true
filter      = roundcube-auth
action      = iptables-multiport[name=roundcube, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/maillog
findtime    = 300
maxretry    = 5

[dovecot-iredmail]
enabled     = true
filter      = dovecot
action      = iptables-multiport[name=dovecot, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/dovecot.log
maxretry    = 5
findtime    = 300

[postfix-iredmail]
enabled     = true
filter      = postfix-sasl
action      = iptables-multiport[name=postfix, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
# You may need to change "logpath" of roundcube and postfix filter on different Linux/BSD.
# On RHEL/CentOS, it's "/var/log/maillog".
# On Debian/Ubuntu, it's "/var/log/mail.log".
# On openSUSE, it's "/var/log/mail".
# On FreeBSD, it's "/var/log/maillog".
logpath     = /var/log/maillog
maxretry    = 5
findtime    = 300

Restart fail2ban service to make it work:

  • On Linux:
Terminal:
# /etc/init.d/fail2ban restart
  • On FreeBSD:
Terminal:
# /usr/local/etc/rc.d/fail2ban restart


[edit] Testing

You can use command "fail2ban-regex" to verify filter. For example:

Terminal:
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/roundcube.iredmail.conf
[…]
Success, the total number of match is 3
[…]
Terminal:
# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.iredmail.conf
[…]
Success, the total number of match is 3
[…]
Terminal:
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf
[…]
Success, the total number of match is 3
[…]

[edit] Troubleshooting

See: http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help

Note: if you used the Postfix filter previously here you are vulnerable to CVE-2013-7176 Grab a version from the URLs to overwrite your current filter and restart fail2ban.

Personal tools