1 (edited by aniyan.rajan6 2013-05-19 20:09:51)

Topic: Firewall

==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version: Debian/squeeze
- Related log if you're reporting an issue:
====

Hello Zhang,

As you have seen from my Logwatch report in my other thread, there are a lot of unwanted SSH brute force attacks. The /var/log/auth.log shows plenty of attacks (trials) from unknown IPs (see below).

I haven't installed Fail2ban and I gave NO for the option: "Use firewall rules provided by iRedmail", during the iRedmail installation. I think that is the reason for these unknown ssh requests. I can install the fail2ban from the debian repository, but how can start using the firewall rules now ?

Also I found the below method using iptables:
http://kvz.io/blog/2007/07/28/block-bru … -iptables/

Which one do you suggest ? Thanks.



# cat /var/log/auth.log

May 19 09:49:06 mx sshd[10269]: Failed password for invalid user devdata from 124.160.194.27 port 21889 ssh2
May 19 09:49:09 mx sshd[10271]: Invalid user webapp from 124.160.194.27
May 19 09:49:09 mx sshd[10271]: pam_unix(sshd:auth): check pass; user unknown
May 19 09:49:09 mx sshd[10271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.160.194.27 
May 19 09:49:10 mx sshd[10271]: Failed password for invalid user webapp from 124.160.194.27 port 22883 ssh2
May 19 09:49:13 mx sshd[10273]: Invalid user erwin from 124.160.194.27
May 19 09:49:13 mx sshd[10273]: pam_unix(sshd:auth): check pass; user unknown
May 19 09:49:13 mx sshd[10273]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.160.194.27 
May 19 09:49:15 mx sshd[10273]: Failed password for invalid user erwin from 124.160.194.27 port 23891 ssh2
May 19 09:49:17 mx sshd[10275]: Invalid user erwin from 124.160.194.27
May 19 09:49:17 mx sshd[10275]: pam_unix(sshd:auth): check pass; user unknown
May 19 09:49:17 mx sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.160.194.27 
May 19 09:49:18 mx sshd[10275]: Failed password for invalid user erwin from 124.160.194.27 port 24923 ssh2
May 19 09:49:21 mx sshd[10277]: Invalid user sachin from 124.160.194.27
May 19 09:49:21 mx sshd[10277]: pam_unix(sshd:auth): check pass; user unknown
May 19 09:49:21 mx sshd[10277]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.160.194.27 
May 19 09:49:22 mx sshd[10277]: Failed password for invalid user sachin from 124.160.194.27 port 25860 ssh2

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Firewall

My personal suggestions:

*) Use another port number for SSH service if possible.
*) Use only public/private key for authentication if possible, not password.
*) Install Fail2ban to protect your server against this kind of password attempts.

3

Re: Firewall

Zhang,

I am already using sshkeys and installed and configured fail2ban now. It banned all those incoming ssh connections.

I gave NO for the option: "Use firewall rules provided by iRedmail", during the iRedmail installation. Is there any additional benefits, if I use them ?

Thanks.

4

Re: Firewall

Hi Aniyan,

Just talk a look at the rule file, then you will know what it does:
https://bitbucket.org/zhb/iredmail/src/ … bles.rules

5

Re: Firewall

ZhangHuangbin wrote:

Hi Aniyan,

Just talk a look at the rule file, then you will know what it does:
https://bitbucket.org/zhb/iredmail/src/ … bles.rules

I understand that  it is ACCEPT by default for all the protocols in the iptables.

I think I didn't make my question clear. Do I have to "Use firewall rules provided by iRedmail" inorder for the iRedmail and the firewall security to work properly ? What do you suggest ? If using it is better then how can I enable it ?

Thanks for your great support.

6

Re: Firewall

aniyan.rajan6 wrote:

Do I have to "Use firewall rules provided by iRedmail" inorder for the iRedmail and the firewall security to work properly ?

You don't have to use it, that's why it's an optional step and ask your confirm during installation.

aniyan.rajan6 wrote:

What do you suggest ? If using it is better then how can I enable it ?

If you're not familiar with iptables rules, then it may be a good idea to use default one shipped in iRedMail. But if you're familiar with it, and you know what you need and how to achieve them, just use your own.