Fail2ban: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
 
(27 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Configuration#Fail2ban|Back]]<br>
  Install fail2ban
  Install fail2ban
  # yum install fail2ban -y<br>
  # yum install fail2ban -y<br>
  Create the filter definition files in filter.d
  Create the filter definition files in filter.d
  # cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
  # cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL
  [Definition]
  [Definition]
  #Looks for failed auth outside TLS to SMTP
  #Looks for failed auth outside TLS to SMTP
Line 8: Line 9:
  ignoreregex =
  ignoreregex =
  EOL<br>
  EOL<br>
  # cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
  # cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL
  [Definition]
  [Definition]
  #Looks for failed password logins to SMTP
  #Looks for failed password logins to SMTP
Line 14: Line 15:
  ignoreregex =
  ignoreregex =
  EOL<br>
  EOL<br>
  # cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
  # cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL
  [Definition]
  [Definition]
  failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
  failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
  ignoreregex =
  ignoreregex =
  EOL<br>
  EOL<br>
  # cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
  # cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL
  [Definition]
  [Definition]
  failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
  failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
  ignoreregex =
  ignoreregex =
  EOL<br>
  EOL<br>
  # cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
  # cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL
  [Definition]
  [Definition]
  failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
  failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
Line 31: Line 32:
  Create jail.local
  Create jail.local
  # cat >>/etc/fail2ban/jail.d/jail.local << EOL
  # cat >>/etc/fail2ban/jail.d/jail.local << EOL
  [qmail-submission-passfail]
  [qt-sub-passfail]
  enabled = true
  enabled = true
  filter  = qmail-submission-passfail
  filter  = qt-sub-passfail
  action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
  action  = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp]
  logpath = /var/log/maillog
  logpath = /var/log/maillog
  maxretry = 3
  maxretry = 3
Line 40: Line 41:
  findtime = 3600
  findtime = 3600
  backend = auto<br>
  backend = auto<br>
  [qmail-submission-usernotfound]
  [qt-sub-usernotfound]
  enabled = true
  enabled = true
  filter  = qmail-submission-usernotfound
  filter  = qt-sub-usernotfound
  action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
  action  = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp]
  logpath = /var/log/maillog
  logpath = /var/log/maillog
  maxretry = 3
  maxretry = 3
Line 49: Line 50:
  findtime = 3600
  findtime = 3600
  backend = auto<br>
  backend = auto<br>
  [qmail-smtps-passfail]
  [qt-smtps-passfail]
  enabled  = true
  enabled  = true
  filter  = qmail-smtps-passfail
  filter  = qt-smtps-passfail
  action  = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
  action  = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp]
  logpath  = /var/log/maillog
  logpath  = /var/log/maillog
  maxretry = 3
  maxretry = 3
Line 58: Line 59:
  findtime = 3600
  findtime = 3600
  backend = auto<br>
  backend = auto<br>
  [qmail-smtps-usernotfound]
  [qt-smtps-usernotfound]
  enabled = true
  enabled = true
  filter = qmail-smtps-usernotfound
  filter = qt-smtps-usernotfound
  action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
  action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp]
  logpath = /var/log/maillog
  logpath = /var/log/maillog
  maxretry = 3
  maxretry = 3
Line 67: Line 68:
  findtime = 3600
  findtime = 3600
  backend = auto<br>
  backend = auto<br>
  [qmail-smtp-authnotavail]
  [qt-smtp-authnotavail]
  enabled = true
  enabled = true
  filter = qmail-smtp-authnotavail
  filter = qt-smtp-authnotavail
  action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
  action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp]
  logpath = /var/log/qmail/smtptx/current
  logpath = /var/log/qmail/smtptx/current
  maxretry = 3
  maxretry = 3
  bantime = 86400
  bantime = 86400
  findtime = 300
  findtime = 300
  backend = auto<br>
  backend = auto
  EOL
  EOL


Set up Authorization not available
  In order to log SMTPTX (transactions) do the following:
  In order to log SMTP transactions do the following:
   1) # qmailctl stop
   1) # qmailctl stop
   2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp  
   2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp  
   3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:  
   3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:<span style="color:red">
       #!/bin/sh
       #!/bin/sh
       LOGSIZE=`cat /var/qmail/control/logsize`
       LOGSIZE=`cat /var/qmail/control/logsize`
Line 89: Line 89:
         /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
         /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
         '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
         '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
         '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
         '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1</span>
   4) # qmailctl start && qmailctl cdb
   4) # qmailctl start && qmailctl cdb
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
Line 97: Line 97:


  Script to check blocking
  Script to check blocking
  # cat >./f2bstat << EOL
  # tee -a /usr/local/bin/f2bstat<<EOL
  #!/bin/bash
  #!/bin/bash
  for FILTER in qmail-submission-passfail \
  for JAIL in qt-sub-passfail \\
              qmail-submission-usernotfound \
            qt-sub-usernotfound \\
              qmail-smtps-passfail \
            qt-smtps-passfail \\
              qmail-smtps-usernotfound \
            qt-smtps-usernotfound \\
              qmail-smtp-authnotavail
            qt-smtp-authnotavail
  do
  do
     fail2ban-client status $FILTER
     fail2ban-client status \$JAIL
     echo ""
     echo ""
  done
  done
Line 111: Line 111:


  Set permissions & run script (w/output sample)
  Set permissions & run script (w/output sample)
  # chmod 755 ./f2bstat && ./f2bstat
  # chmod 755 /usr/local/bin/f2bstat && f2bstat


  qmail-submission-passfail:<br>
  qt-sub-passfail:<br>
  Status for the jail: qmail-submission-passfail
  Status for the jail: qt-sub-passfail
  |- Filter
  |- Filter
  |  |- Currently failed: 1
  |  |- Currently failed: 1
Line 124: Line 124:
     `- Banned IP list:
     `- Banned IP list:


  qmail-submission-usernotfound:<br>
  qt-sub-usernotfound:<br>
  Status for the jail: qmail-submission-usernotfound
  Status for the jail: qmail-submission-usernotfound
  |- Filter
  |- Filter
Line 135: Line 135:
     `- Banned IP list:
     `- Banned IP list:


  qmail-smtps-passfail:<br>
  qt-smtps-passfail:<br>
  Status for the jail: qmail-smtps-passfail
  Status for the jail: qmail-smtps-passfail
  |- Filter
  |- Filter
Line 146: Line 146:
     `- Banned IP list:
     `- Banned IP list:


  qmail-smtps-usernotfound:<br>
  qt-smtps-usernotfound:<br>
  Status for the jail: qmail-smtps-usernotfound
  Status for the jail: qmail-smtps-usernotfound
  |- Filter
  |- Filter
Line 157: Line 157:
     `- Banned IP list:  5.34.207.174 212.70.149.72
     `- Banned IP list:  5.34.207.174 212.70.149.72


  qmail-smtp-authnotavail:<br>
  qt-smtp-authnotavail:<br>
  Status for the jail: qmail-smtp-authnotavail
  Status for the jail: qmail-smtp-authnotavail
  |- Filter
  |- Filter
Line 168: Line 168:
     `- Banned IP list:
     `- Banned IP list:
=== Note ===
=== Note ===
Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP.
But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye!
So what to do?
* Before changes, write existing iptables rules to file
      # service iptables save
* And after any change load the saved set of rules
      # service iptables restart
* Tune fail2ban to write IPs to /etc/fail2ban/ip.deny
== Basic admin stuff ==


== Basic commands ==
* Check banned IPs:
* Check banned IPs:
** from fail2ban:
Format: fail2ban-client get 'jail' banned
        # fail2ban-client status vpopmail-fail
  # fail2ban-client get qt-smtp-authnotavail banned
** from current iptables rules:  
  ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,]
        # iptables -L -nv
* How to unblock an IP(s):
** To see IPs that fail2ban is saving for the next reload:
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
        # cat /etc/fail2ban/ip.deny
  # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119
 
  3
* How to unblock an IP:
* How to block an IP(s):
** Delete it from the current iptables rules:
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
  # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119
** Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
  3
 
* Help:
** Remove it from /etc/sysconfig/iptables (maybe listed several times).
  # fail2ban-client -h


== References ==
== References ==
[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
[1] fail2ban homepage: http://www.fail2ban.org
 
[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html
 
[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
 
[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/
 
[4] fail2ban homepage: http://www.fail2ban.org

Latest revision as of 09:13, 19 October 2024

Back

Install fail2ban
# yum install fail2ban -y
Create the filter definition files in filter.d # cat >/etc/fail2ban/filter.d/qt-smtp-authnotavail.conf << EOL [Definition] #Looks for failed auth outside TLS to SMTP failregex = 503 auth not available \(\#5\.3\.3\) - <HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-smtps-passfail.conf<< EOL [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-smtps-usernotfound.conf<< EOL [Definition] failregex = vchkpw-smtps: vpopmail user not found .*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-sub-passfail.conf<< EOL [Definition] failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST> ignoreregex = EOL
# cat >/etc/fail2ban/filter.d/qt-sub-usernotfound.conf<< EOL [Definition] failregex = vchkpw-submission: vpopmail user not found .*:<HOST> ignoreregex = EOL
Create jail.local # cat >>/etc/fail2ban/jail.d/jail.local << EOL [qt-sub-passfail] enabled = true filter = qt-sub-passfail action = iptables[name=QT-SUB-PASSFAIL, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-sub-usernotfound] enabled = true filter = qt-sub-usernotfound action = iptables[name=QT-SUB-USERNOTFOUND, port=587, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtps-passfail] enabled = true filter = qt-smtps-passfail action = iptables[name=QT-SMTPS-PASSFAIL, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtps-usernotfound] enabled = true filter = qt-smtps-usernotfound action = iptables[name=QT-SMTPS-USERNOTFOUND, port=465, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 86400 findtime = 3600 backend = auto
[qt-smtp-authnotavail] enabled = true filter = qt-smtp-authnotavail action = iptables[name=QT-SMTP-AUTHNOTAVAIL, port=25, protocol=tcp] logpath = /var/log/qmail/smtptx/current maxretry = 3 bantime = 86400 findtime = 300 backend = auto EOL
In order to log SMTPTX (transactions) do the following:
 1) # qmailctl stop
 2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
 3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file:
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
 4) # qmailctl start && qmailctl cdb
 5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal
Start fail2ban
# systemctl start fail2ban
Script to check blocking
# tee -a /usr/local/bin/f2bstat<<EOL
#!/bin/bash
for JAIL in qt-sub-passfail \\
            qt-sub-usernotfound \\
            qt-smtps-passfail \\
            qt-smtps-usernotfound \\
            qt-smtp-authnotavail
do
   fail2ban-client status \$JAIL
   echo ""
done
EOL
Set permissions & run script (w/output sample)
# chmod 755 /usr/local/bin/f2bstat && f2bstat
qt-sub-passfail:
Status for the jail: qt-sub-passfail |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-sub-usernotfound:
Status for the jail: qmail-submission-usernotfound |- Filter | |- Currently failed: 7 | |- Total failed: 7 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-smtps-passfail:
Status for the jail: qmail-smtps-passfail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
qt-smtps-usernotfound:
Status for the jail: qmail-smtps-usernotfound |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/maillog `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: 5.34.207.174 212.70.149.72
qt-smtp-authnotavail:
Status for the jail: qmail-smtp-authnotavail |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/qmail/smtptx/current `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

Note

Basic commands

  • Check banned IPs:
Format: fail2ban-client get 'jail' banned
  # fail2ban-client get qt-smtp-authnotavail banned
  ['xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy',...,]
  • How to unblock an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail unbanip 192.168.1.105 192.168.1.112 192.168.1.119
  3
  • How to block an IP(s):
Format: fail2ban-client set 'jail' unbanip xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ...
  # fail2ban-client set qt-smtp-authnotavail banip 192.168.9.105 192.168.1.112 192.168.1.119
  3
  • Help:
  # fail2ban-client -h

References

[1] fail2ban homepage: http://www.fail2ban.org