Strengthening Fail2Ban for Repeat Offenders
Let’s get straight to the case. I have a server, serving a web services and someone was trying to use my server for sending a spam mail.
Honestly, i am not an expert at this. So i struggling and do some research until i found some article which is quite interesting and try to implement it on to my server.
The result so far was good, i am quite satisfied. And here, i am gonna share it with you guys.
As i already mentioned above, i am not an expert on this field. Thus, I BEAR NO RESPONSIBILITY if something occurs to your server when you follow this guide. If by any chance you found this page and know what to do, then it’s good. However, if you also same like me, think again and DO IT WITH YOUR OWN RISK.
1. Modify or create /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko2. Modify or create /etc/fail2ban/filter.d/f2b-loop.conf
# Fail2Ban configuration file for subsequent bans
[INCLUDES]
before = common.conf
[Definition]
failregex = \]\s+Ban\s+<HOST>
ignoreregex = \[postfix-sasl.*\]\s+Ban\s+<HOST>
#3. Modify or create /etc/fail2ban/jail.local
here is my pre configurationAt this time, what i want to protect was only FTP, Dovecot and Postfix. I will not explain anything about the code above. However, only by doing this is still not enough. Eventhough i made the bantime for 1 month, ‘they’ will come again. So, let’s go to the next step.
[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
findtime = 86400 ;1 day
bantime = 604800 ;1 week
[postfix-sasl1]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
findtime = 86400 ;1 day
bantime = 604800 ;1 week
[postfix-sasl2]
enabled = true
port = smtp
filter = postfix-sasl
findtime = 864000 ;10 days
bantime = 2592000 ;1 month
logpath = /var/log/mail.log
maxretry = 54. Create file /etc/fail2ban/filter.d/repeatoffender.conf
#Fail2Ban configuration file
#
# Author: WireFlare
#
# This filter monitors the fail2ban log file, and permanently
# bans the ip addresses of persistent attackers.
#
# As of this version this ban only works with iptables.
#
[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions\s+\[(?:.*)\]:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.actions\s+\[(?:.*)\]:\s+NOTICE\s+\[%(_jailname)s\]\s+Ban\s+<HOST>5. Create file /etc/fail2ban/action.d/repeatoffender.conf
# Fail2Ban configuration file
#
# Author: WireFlare
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -j fail2ban-<name>
# Establish chain and blocks for saved IPs
iptables -N fail2ban-ip-blocklist
iptables -A fail2ban-ip-blocklist -j RETURN
iptables -I <chain> -p <protocol> -j fail2ban-ip-blocklist
cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Remove chain and blocks for saved IPs to prevent duplicates on service restart
iptables -D <chain> -p <protocol> -j fail2ban-ip-blocklist
iptables -F fail2ban-ip-blocklist
iptables -X fail2ban-ip-blocklist
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = VERIFY="<ip>*"
ADD="<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
FILE=/etc/fail2ban/ip.blocklist.<name>
grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-<name> 1 -s <ip> -j DROP
grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = # Do nothing becasuse their IP is in the blocklist file
# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^<ip>/d' /etc/fail2ban/ip.blocklist.repeatoffender
#
[Init]
# Default name of the chain
#
name = default
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT6. Lets update /etc/fail2ban/jail.local and add this at the bottom
[repeatoffender]
enabled = true
filter = repeatoffender
logpath = /var/log/fail2ban*
maxretry = 3
findtime = 31536000
bantime = -17. The findtime is for 1 year, so we have to change the log rotation also. Update /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
missingok
notifempty
monthly
rotate 13
create 0600 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 2> /dev/null || true
endscript
}
Leave a Reply
Want to join the discussion?Feel free to contribute!