Tuesday, 28 May 2013

Fail2ban for Qmail Server

Fail2ban for Qmail Server

Installation:

#rpm –Uvh fail2ban-0.8.7.1-1.el6.rf.noarch.rpm

Setup:
To work with Qmail/vpopmail, a filter and jail should be defined.

Configure Filter:
Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name
  • password-fail filter:
     # vi /etc/fail2ban/filter.d/password-fail.conf
     [Definition]
     #Looks for failed password logins to SMTP
     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     ignoreregex =
  • username-notfound filter:
     # vi /etc/fail2ban/filter.d/username-notfound.conf
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile.
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
     failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
    
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
     ignoreregex =
  • dos-hosts filter:
     # vi /etc/fail2ban/filter.d/dos-hosts.conf
     [Definition]
     failregex = rblsmtpd: <HOST> .*: 451 Blocked
          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay
          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient
      .* rblsmtpd: <HOST>
  • vpopmail filter:
     # vi /etc/fail2ban/filter.d/vpopmail.conf:
     # Fail2Ban configuration file
     # Author: Christoph Haas
     # Modified by: Ole Johansen - CDS
     # $Revision: 510 $
    
     [Definition]
     # Option: failregex
     # Notes.: regex to match the password failures messages in the logfile.
     # The host must be matched by a group named "host". The tag "<HOST>" can
     # be used for standard IP/hostname matching and is only an alias for
     # (?:::f{4,6}:)?(?P<host>\S+)
     # Values: TEXT
    
     failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>
    
     # Option: ignoreregex
     # Notes.: regex to ignore. If this regex matches, the line is ignored.
     # Values: TEXT
    
     ignoreregex =
  • squirrelmail filter:
     # vi /etc/fail2ban/filter.d/squirrelmail.conf
     # squirrelmail's Fail2Ban configuration file
     # you must install the squirrel_logger plugin into Squirrelmail
     # to use this filter/jail
    
     [Definition]
     # the failregex value must match the line written in squirrelmail.log
     # the example below is using Italian
     failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
     ignoreregex =

Configure Jail:
Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file

     # vi /etc/fail2ban/jail.conf 
    
     # password-fail
     [password-fail]
     enabled  = true
     filter   = password-fail
     action   = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath  = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
    
     # username-notfound
     [username-notfound]
     enabled = true
     filter = username-notfound
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/maillog
     maxretry = 3
     bantime  = 86400
     findtime = 3600
    
     # dos-hosts - Hosts insisting on delivering spam
     [dos-hosts]
     enabled = true
     filter = dos-hosts
     action = iptables[name=SMTP, port=smtp, protocol=tcp]
     logpath = /var/log/qmail/smtp/current
     maxretry = 5
     bantime  = 86400
     findtime = 3600
      
     # vpopmail
     [vpopmail]
     enabled = true
     port = pop3
     filter = vpopmail
     action = iptables[name=pop3, port=pop3, protocol=tcp]
            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
     logpath = /var/log/maillog
     maxretry = 3
     bantime = -1
    
     # squirrelmail
     [squirrelmail-iptables]
     enabled  = true
     filter   = squirrelmail
     action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]
     # adjust logpath with Squirrelmail's squirrel_logger plugin log
     logpath  = /var/log/squirrelmail.log
     maxretry = 5

Test Filter
Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):

     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf
    
Failregex
     |- Regular expressions:
     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
     |
     `- Number of matches:
       [1] 123 match(es)

Reload Config
     # fail2ban-client stop
     # fail2ban-client start

Check Jail Status
     # fail2ban-client status password-fail
     Status for the jail: password-fail
     |- filter
     |  |- File list:        /var/log/maillog
     |  |- Currently failed: 7
     |  `- Total failed:     225
     `- action
       |- Currently banned: 109
       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
        `- Total banned:     109
Note
Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?
  • Before changes, write existing iptables rules to file
     # service iptables save
  • And after any change load the saved set of rules
     # service iptables restart
  • Tune fail2ban to write IPs to /etc/fail2ban/ip.deny
Basic admin stuff
  • Check banned IPs:
    • from fail2ban:
        # fail2ban-client status vpopmail-fail
    • from current iptables rules:
        # iptables -L -nv
    • To see IPs that fail2ban is saving for the next reload:
        # cat /etc/fail2ban/ip.deny
  • How to unblock an IP:
    • Delete it from the current iptables rules:
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
    • Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
    • Remove it from /etc/sysconfig/iptables (maybe listed several times).


No comments:

Post a Comment