1 (edited by InformaticaTTU 2014-10-29 02:27:29)

Topic: Block spam IP with fail2ban

==== Required information ====
- iRedMail version: I Don't know where i can see that version. I've iRedAdmin-Pro v1.8.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version: Debian 7
====

Hi, first of all i'm sorry for my english.

My question is about how i can ban sender IP with fail2ban on error. i've seen that postfix-iredmail.conf have that rules, but no ip is banned...

Status for the jail: postfix-iredmail
|- filter
|  |- File list:    /var/log/mail.log 
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:    
   `- Total banned:    0

"fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.iredmail.conf" shows about 7244 matches, but still no working.

What i've to do to make it work?

EDIT: After 20 minutes, the above command shows 7533 matches, but none is banned :S
Fail2Ban version is 0.8.6

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Block spam IP with fail2ban

Are fail2ban and iptables services running? Any fail2ban related log in /var/log/syslog?

3 (edited by InformaticaTTU 2014-10-29 21:54:55)

Re: Block spam IP with fail2ban

ZhangHuangbin wrote:

Are fail2ban and iptables services running? Any fail2ban related log in /var/log/syslog?

Thanks for reply.

Both are running, but i'm searching patterns and i think that the attacker uses several IP addresses, take long time between every IP repeat and filter don't detect the attack. I'll edit this post with any new info I see.

About fail2ban in syslog: There aren't any info about any ban, it only shows every time i've restarted the service.


-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

EDIT: After a little study this is an example of what i've seen:

06:04:07    
07:18:31    01:14:24
00:52:00
01:06:14    00:14:14
06:09:11    05:02:57
06:30:13    00:21:02
08:04:58    01:34:45
04:07:36
05:35:06    01:27:30
05:43:37    00:08:31
06:11:42    00:28:05
08:57:52    02:46:10
01:36:55
02:16:00    00:39:05
04:47:11    02:31:11

The first column is the attemp hour, and the second is the time between attemps.
Can i decrease that attacks with this lines in postfix-iredmail of jail.local?

maxretry    = 2
bantime     = 86400 # 24 hours
findtime    = 7200 # 2 hours find

or is a bad idea?

Thanks!!

4

Re: Block spam IP with fail2ban

You're free to decrease 'maxretry' numbers, just be careful, your normal users make mistake too.

5 (edited by InformaticaTTU 2014-10-30 00:15:48)

Re: Block spam IP with fail2ban

ZhangHuangbin wrote:

You're free to decrease 'maxretry' numbers, just be careful, your normal users make mistake too.

finally i've created a file in action.d called ban-total.conf with this:

[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            echo <ip> >> /etc/fail2ban/ip.blacklist

[Init]
name = default

protocol = tcp

chain = INPUT

and two files in filter.d:
ban-total.conf

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

ban-temporal.conf

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1

I've changed "postfix.iredmail.conf" to:

failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed

and i've added this lines to jail.local:

[ban-temporal]
enabled     = true
filter      = ban-temporal
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=Postfix-ban-temporal, dest=some@email.com]
maxretry    = 2
bantime     = 86400
logpath     = /var/log/mail.log
findtime    = 7200

[ban-total]
enabled     = true
filter      = ban-total
action      = ban-total[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=Postfix-ban-total, dest=some@email.com]
maxretry    = 2
logpath     = /var/log/mail.log
findtime    = 7200

I expect a normal ban for login errors (for users), total ban for wrong helo and dynamic IP's, and a 24h ban for wrong recipient address.

Is my first time with fail2ban, i hope that it works. If not, is not late to revert all changes.

6 (edited by InformaticaTTU 2014-10-31 00:10:35)

Re: Block spam IP with fail2ban

Still no working... I've changed that rules and maxretry to 1 for test purpose but nothing is banned... Even i've seen some IP that i'm sure will be banned, but still without ban.

I've started to ban manually.

EDIT: i've going to reinstall fail2ban, because i've done about 8 bad ssh login to test and nothing happen. Fail2ban must be failing.

7

Re: Block spam IP with fail2ban

You should use Fail2ban tool "fail2ban-regex" to test your regular expression. Re-installing Fail2ban doesn't help.

8 (edited by InformaticaTTU 2014-10-31 17:02:05)

Re: Block spam IP with fail2ban

ZhangHuangbin wrote:

You should use Fail2ban tool "fail2ban-regex" to test your regular expression. Re-installing Fail2ban doesn't help.


The problem is that now i'm using default options but still no working. I've reinstalled fail2ban, and it banned 8 IP's and got 513 in blacklist, i've changed the postfix time and max retry and now is not working again.

With fail2ban-regex i get a lot of attackers IPs, then the expresion is OK, and even all are the iRedMail default expressions.

ssh filters are failing too and i've not changed anything of ssh filters.
Now i've reinstalled fail2ban again and just started to works. I've done a test with ssh and i've got the fail in "fail2ban-client status ssh".

Status for the jail: ssh
|- filter
|  |- File list:    /var/log/auth.log 
|  |- Currently failed:    0
|  `- Total failed:    9
`- action
   |- Currently banned:    1
   |  `- IP list:    XX.XX.XXX.XXX 
   `- Total banned:    1

and postfix shows:

Status for the jail: postfix
|- filter
|  |- File list:    /var/log/mail.log 
|  |- Currently failed:    137
|  `- Total failed:    149
`- action
   |- Currently banned:    1
   |  `- IP list:    XX.XXX.XX.XXX 
   `- Total banned:    1

One banned for now just a minute before start.

I'll add the filters one by one to see what is failing.

EDIT: i'm using default fail2ban config filter with this:

[postfix]
enabled  = enable
port     = smtp,ssmtp
maxretry = 2
findtime = 7200
filter   = postfix
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=Postfix, dest=someone@anything.com]
logpath  = /var/log/mail.log

And for now i've about 319 banned IP. Fail2Ban filter is a little different than iRedMail filter.

9 (edited by InformaticaTTU 2014-10-31 19:02:39)

Re: Block spam IP with fail2ban

Finally i've found the problem, is too stupid, but i not figured that's the problem (was induced by other person).

The problem was ignoreip, it was used with commas as separator instead spaces. I've changed this and now is working fine.

Sorry for being so weary with this problem roll and thanks for your patience.