Using fail2ban to block/throttle SASL authentication failures
- November 20th, 2012
- Write comment
OS: CentOS6
Repository: EPEL
I had gone back and forth on how to handle SMTP Authentication requests. Would I allow it? How would I allow it? I started off, only allowing a few subnets that I knew I would need (T-Mobile, AT&T, etc). I quickly found this to be a management nightmare, so I opened access and configured all my email clients to use SSL to encrypt the traffic. This worked great except for when others found that I had the SMTP Auth enabled and open. I started getting traffic, once in a while, just banging away trying to find an account and password to use to spam from my servers. I finally got fed up, and decided to look into a way to mitigate this behavior. It became apparent to me pretty quickly that fail2ban would do exactly what I was looking for. Basically, fail2ban looks for certain strings in a log file and adds an iptables entry to a special fail2ban chain to block the IP address for a period of time. What I like about this is that I don’t have maintain a large iptables table to block unwanted subnets. Fail2ban will watch that for me. Note: my configuration blocks both port 25 and 465 to cover both port where SMTP Authentication can occur.
Here is what I did to help with my unauthorized SASL attempts:
I installed fail2ban from the EPEL repository that I had installed but not enabled. The required dependencies are listed as well.
# yum –enablerepo=epel install fail2ban
Dependency Installed:
gamin-python.x86_64 0:0.1.10-9.el6
python-inotify.noarch 0:0.9.1-1.el6
shorewall.noarch 0:4.5.4-1.el6
shorewall-core.noarch 0:4.5.4-1.el6
tcp_wrappers.x86_64 0:7.6-57.el6
# cd /etc/fail2ban/
# cp -rp jail.conf jail.conf.orig
I disabled ssh monitoring, since I do not allow that anyway, so it was not needed.
# vi jail.conf
…
[ssh-iptables]# JGZ 11/20/2012
#enabled = true
enabled = false
…
# JGZ 11/19/2012 – enable SASL monitoring
#enabled = false
enabled = true
filter = sasl
backend = polling
# JGZ 11/19/2012
#action = iptables[name=sasl, port=smtp, protocol=tcp]
action = iptables-multiport[name=SASL, port=”smtp,465″]
sendmail-whois[name=sasl, dest=emailaddress]
# sendmail-whois[name=sasl, dest=you@example.com]
# JGZ 11/19/2012 – configure the correct log file name.
#logpath = /var/log/mail.log
logpath = /var/log/maillog
…
# cd /etc/fail2ban/filter.d/
# cp -p sasl.conf sasl.conf.orig
# vi sasl.conf
…
# JGZ 11/19/2012 – To support my postfix output
#failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = .*postfix\/smtpd.*warning: .*\[\]:.*SASL .*authentication failure
…
# service fail2ban start
# chkconfig fail2ban on
With this configuration, after three authentication failures the IP address will be blocked for 5 minutes. All port access will blocked for the address. In addition, an email message will be sent to email address configured in the jail.conf file. Log output is managed via syslog and sent to the /var/log/messages file.
Update:
While installing this in CentOS 7, I discovered some new things.
In jail.local to ban forever:
bantime = -1
# fail2ban-client set jailname unbanip ipaddress
Example:
# fail2ban-client set sshd unbanip 123.123.123.123
Fail2ban has a tool that will allow you to test your regex filters:
# fail2ban-regex /path/to/logfile “someregexstuff”