Addition/Harden.iRedMail.with.Fail2ban
From iRedMail
(Difference between revisions)
(→Configure Fail2ban) |
(→Configure Fail2ban) |
||
| Line 68: | Line 68: | ||
{{cfg|/etc/fail2ban/filter.d/postfix.iredmail.conf|<pre> | {{cfg|/etc/fail2ban/filter.d/postfix.iredmail.conf|<pre> | ||
[Definition] | [Definition] | ||
| - | |||
failregex = \[<HOST>\]: SASL PLAIN authentication failed | failregex = \[<HOST>\]: SASL PLAIN authentication failed | ||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 | reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 | ||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 | reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 | ||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 | reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 | ||
| - | |||
ignoreregex = | ignoreregex = | ||
</pre>}} | </pre>}} | ||
Revision as of 12:17, 7 April 2011
Contents |
Summary
Fail2ban scans log files like /var/log/maillog or /var/log/auth.log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
We can use Fail2ban to ban IP addresses which who want to crack your mail accounts.
Install Fail2ban
- On RHEL/CentOS, you can install fail2ban with iRedMail yum repository, it's enabled by default.
| Terminal: |
# yum install fail2ban |
- On Debian/Ubuntu, you can install fail2ban with official repository:
| Terminal: |
# apt-get install fail2ban |
- On openSUSE, you can install fail2ban with iRedMail repository, it's enabled by default.
| Terminal: |
# zypper install fail2ban |
- On FreeBSD, you can install fail2ban with ports tree:
| Terminal: |
# cd /usr/ports/security/py-fail2ban # make install clean |
On Linux:
- major configure files of Fail2ban are:
- /etc/fail2ban/fail2ban.conf
- /etc/fail2ban/jail.conf
- /etc/fail2ban/filter.d/*.conf
- Fail2ban will read user custom config file "/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.
On FreeBSD:
- major configure files of Fail2ban are:
- /usr/local/etc/fail2ban/fail2ban.conf
- /usr/local/etc/fail2ban/jail.conf
- /usr/local/etc/fail2ban/filter.d/*.conf
- Fail2ban will read user custom config file "/usr/local/etc/fail2ban/jail.local" by default, it's highly recommended to create this file and write all your settings in this file, so that you can easily upgrade Fail2ban without change config files.
Configure Fail2ban
We will configure Fail2ban to protect 4 services: ssh, smtp, pop3/imap and webmail.
Fail2ban ships filter for sshd service, so we just need to create 3 new filter files. Filter file defines regular expressions to find which IP addresses we should ban.
- /etc/fail2ban/filter.d/roundcube.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/roundncube.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/roundcube.iredmail.conf |
[Definition] failregex = roundcube: (.*) Error: Login failed for (.*) from <HOST>\. ignoreregex = |
- /etc/fail2ban/filter.d/dovecot.iredmail.conf' (Linux) or /usr/local/etc/fail2ban/filter.d/dovecot.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/dovecot.iredmail.conf |
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex = |
- /etc/fail2ban/filter.d/postfix.iredmail.conf (Linux) or /usr/local/etc/fail2ban/filter.d/postfix.iredmail.conf (FreeBSD):
| File: /etc/fail2ban/filter.d/postfix.iredmail.conf |
[Definition]
failregex = \[<HOST>\]: SASL PLAIN authentication failed
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
ignoreregex =
|
We now have 3 new filter files, it's time to let Fail2ban use them. Since ssh filter is enabled by default, we don't need to touch any config files, so we just need to create "/etc/fail2ban/jail.local" (Linux) or "/usr/local/etc/fail2ban/jail.local" (FreeBSD) to enable these 3 new filters.
Note:
- You may need to change "logpath" of roundcube and postfix filter on different Linux/BSD.
- On RHEL/CentOS, it's "/var/log/maillog".
- On Debian/Ubuntu, it's "/var/log/mail.log".
- On openSUSE, it's "/var/log/mail".
- On FreeBSD, it's "/var/log/maillog".
| File: jail.local |
[roundcube-iredmail] enabled = true filter = roundcube.iredmail action = iptables-multiport[name=roundcube, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp] logpath = /var/log/maillog findtime = 3600 maxretry = 5 bantime = 3600 [dovecot-iredmail] enabled = true filter = dovecot.iredmail action = iptables-multiport[name=dovecot, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 5 findtime = 300 bantime = 3600 ignoreip == 127.0.0.1 [postfix-iredmail] enabled = true filter = postfix.iredmail action = iptables-multiport[name=postfix, port="ssh,http,https,smtp,smtps,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/maillog bantime = 3600 maxretry = 5 ignoreip = 127.0.0.1 |
Restart fail2ban service to make it work.
