Block SMTP Authentication Attacks With Fail2Ban
Blocking SMTP authentication brute force attacks using Fail2Ban - Fail2Ban can be used to block brute force attacks against your mail server. The attackers are blocked by their source IP using iptables. Although it doesn't block SMTP attacks by default, Fail2Ban can be configured to do so.
Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts. It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it. It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.
obtain and install
First, you need to install Fail2Ban. For Redhat/Fedora use yum.
yum install fail2ban
CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded. You can get it from EPEL, the Fedora repository.
wget http://mirror.pnl.gov/epel//6/i386/fail2ban-0.8.11-2.el6.noarch.rpm rpm -ih --percent fail2ban-0.8.11-2.el6.noarch.rpm
You might have some dependencies to install, like
yum install gamin-python wget http://mirror.pnl.gov/epel//6/i386/python-inotify-0.9.1-1.el6.noarch.rpm rpm -ih --percent python-inotify-0.9.1-1.el6.noarch.rpm
These are the most common 2 needed for CentOS users. Get them and any others possibly needed then try to install fail2ban again. Additional help is available for RPM Commands.
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org
configure
Configuration for Fail2ban on a Redhat/Fedora/CentOS style distribution. This is using fail2ban with dovecot 2.x (versions 2 and above) - filtering and pattern matching.
- configuration files: /etc/fail2ban
- regex filters: /etc/fail2ban/filter.d
- action file (do/block): /etc/fail2ban/action.d
First edit the dovecot.conf filter file.
vi /etc/fail2ban/filter.d
Next edit the postfix-sasl.conf and iptables-multiport-tcp.conf action files.
vi /etc/fail2ban/postfix-sasl.conf vi /etc/fail2ban/iptables-multiport-tcp.conf
Do not directly edit jail.conf. Comments in jail.conf clearly warn against modifications in jail.conf. Put your customizations in a jail.local file or a jail.d/customisation.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Important Configuration Parameters:
- ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
- bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
- maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
- filter: Refers to the appropriate filter file in "/etc/fail2ban/filter.d".
- logpath: The log file that fail2ban checks for failed login attempts.
ignoreip = 127.0.0.1 192.168.254.0/24
Set the IP addresses of trusted hosts for fail2ban to ignore. Replace the 192x non-routable with the address of your machine or network. You can also add other trusted networks. Put your mom's IP address in there because sometimes she gets her password wrong more than 3 times in a row!
The configure section is incomplete! We need a tested and proven configuration to post here.
Note: This page is notably incomplete. You can help. Please contribute by registering your email address and adding your knowledge to this page. The D.U.C.K. wiki was created to be a free informative place that allows an open exchange of accurate information. Learn more... |