Fail2ban: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
Line 97: Line 97:


  Script to check blocking
  Script to check blocking
  # tee -a ./f2bstat<<EOL
  # tee -a /usr/local/bin/f2bstat<<EOL
  #!/bin/bash
  #!/bin/bash
  for FILTER in qmail-submission-passfail \
  for FILTER in qmail-submission-passfail \\
               qmail-submission-usernotfound \
               qmail-submission-usernotfound \\
               qmail-smtps-passfail \
               qmail-smtps-passfail \\
               qmail-smtps-usernotfound \
               qmail-smtps-usernotfound \\
               qmail-smtp-authnotavail
               qmail-smtp-authnotavail
  do
  do
     fail2ban-client status $FILTER
     fail2ban-client status \$FILTER
     echo ""
     echo ""
  done
  done

Revision as of 15:43, 31 March 2024

Install fail2ban
# yum install fail2ban -y

Create the filter definition files in filter.d
# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

Create jail.local
# cat >>/etc/fail2ban/jail.d/jail.local << EOL
[qmail-submission-passfail]
enabled = true
filter  = qmail-submission-passfail
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-submission-usernotfound]
enabled = true
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-passfail]
enabled  = true
filter   = qmail-smtps-passfail
action   = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-usernotfound]
enabled = true
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtp-authnotavail]
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto

EOL

Set up Authorization not available
In order to log SMTP transactions do the following:
 1) # qmailctl stop
 2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
 3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file: 
     #!/bin/sh
     LOGSIZE=`cat /var/qmail/control/logsize`
     LOGCOUNT=`cat /var/qmail/control/logcount`
     exec /usr/bin/setuidgid qmaill \
       /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
       '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
       '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
 4) # qmailctl start && qmailctl cdb
 5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal

Start fail2ban
# systemctl start fail2ban

Script to check blocking
# tee -a /usr/local/bin/f2bstat<<EOL
#!/bin/bash
for FILTER in qmail-submission-passfail \\
             qmail-submission-usernotfound \\
             qmail-smtps-passfail \\
             qmail-smtps-usernotfound \\
             qmail-smtp-authnotavail
do
   fail2ban-client status \$FILTER
   echo ""
done
EOL

Set permissions & run script (w/output sample)
# chmod 755 ./f2bstat && ./f2bstat

qmail-submission-passfail:

Status for the jail: qmail-submission-passfail
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-submission-usernotfound:

Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-passfail:

Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-usernotfound:

Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   5.34.207.174 212.70.149.72

qmail-smtp-authnotavail:

Status for the jail: qmail-smtp-authnotavail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Note

Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

  • Before changes, write existing iptables rules to file
     # service iptables save
  • And after any change load the saved set of rules
     # service iptables restart
  • Tune fail2ban to write IPs to /etc/fail2ban/ip.deny

Basic admin stuff

  • Check banned IPs:
    • from fail2ban:
        # fail2ban-client status vpopmail-fail
    • from current iptables rules:
        # iptables -L -nv
    • To see IPs that fail2ban is saving for the next reload:
        # cat /etc/fail2ban/ip.deny
  • How to unblock an IP:
    • Delete it from the current iptables rules:
        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP
    • Remove it from /etc/fail2ban/ip.deny (maybe listed several times).
    • Remove it from /etc/sysconfig/iptables (maybe listed several times).

References

[0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html

[1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html

[2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

[3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/

[4] fail2ban homepage: http://www.fail2ban.org

Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=Fail2ban&oldid=864"