Configurando Fail2ban Para Autentificaciones SMTP Fallidas en Mailcleaner

Para prevenir que estando nuestro servidor SMTP en internet tengamos bloqueos por ataques DoS al puerto 25 podemos implementar el servicio fail2ban para bloquear todo tipo de conexión que falle en la autentificación de forma reiterativa realizando lo siguiente:

  • Instalar fail2ban en el servidor Mailcleaner
1
aptget update; aptget install fail2ban

Nos dirigimos al directorio /etc/fail2ban, donde creamos/editamos los siguientes archivos:

  1. Archivo filter.d/exim2.conf: Contiene la reglas para el match del jail
  2. 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    
    # Fail2Ban filter for exim
    #
    # This includes the rejection messages of exim. For spam and filter
    # related bans use the exim-spam.conf
    #
    
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # exim-common.local
    # before = exim-common.conf
    
    [Definition]
    
    failregex = \[<HOST>\]: 535 Incorrect authentication data
    
    ignoreregex =
    
  3. Archivo action.d/iptables-repeater.conf: Configura toda la acción a realizar con las ip que fallan con la auth
  4. 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    
    # Fail2ban configuration file
    #
    # Author: Phil Hagen <phil@identityvector.com>
    #
    
    [Definition]
    
    # Option:  actionstart
    # Notes.:  command executed once at the start of Fail2Ban.
    # Values:  CMD
    #
    actionstart = iptables -N fail2ban-REPEAT-<name>
                  iptables -A fail2ban-REPEAT-<name> -j RETURN
                  iptables -I INPUT -j fail2ban-REPEAT-<name>
                  # set up from the static file
                  cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done
    
    # Option:  actionstop
    # Notes.:  command executed once at the end of Fail2Ban
    # Values:  CMD
    #
    actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name>
                 iptables -F fail2ban-REPEAT-<name>
                 iptables -X fail2ban-REPEAT-<name>
    
    # Option:  actioncheck
    # Notes.:  command executed once before each actionban command
    # Values:  CMD
    #
    actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name>
    
    # Option:  actionban
    # Notes.:  command executed when banning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP
                # also put into the static file to re-populate after a restart
                ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name>
    
    # Option:  actionunban
    # Notes.:  command executed when unbanning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionunban = /bin/true
    
    [Init]
    
    # Defaut name of the chain
    #
    name = REPEAT
    
  5. Archivo ip.blocklist.exim2: Contiene las direcciones ip que se van bloqueando por intentos fallidos y que se va autocompletando con los bloqueos propios del fail2ban
  6. 1
    2
    3
    
    122.154.29.30 # fail2ban/2016-04-15 00:21:45: auto-add for repeat offender
    95.183.52.100 # fail2ban/2016-04-15 00:35:51: auto-add for repeat offender
    110.84.129.110 # fail2ban/2016-04-15 02:11:53: auto-add for repeat offender
    

La configuración del jail la realizamos dentro del archivo /etc/fail2ban/jail.conf , quedando así:

1
2
3
4
5
6
7
8
[exim2-repeater]
      enabled  = true
      filter   = exim2
      action   = iptables-repeater[name=exim2]
      logpath  = /var/mailcleaner/log/exim_stage1/mainlog
      maxretry = 10
      findtime = 31536000
      bantime  = 31536000

Lo anterior leerá del archivo /var/mailcleaner/log/exim_stage1/mainlog todos los errores del tipo 535 Incorrect authentication data si la authenticación falla al intento 10 y además la ip será almacenada en el archivo iptables-repeater.conf .

Comments