Skip to content

Wiki do Mário

O meu Blog pessoal

Menu
  • Cookie policy
  • index
  • Qual o meu IP
  • Recuperar a Password BIOS
  • Sample Page
Menu

EFA (Email Filter Appliance) + FAIL2BAN

Posted on Dezembro 20, 2017 by tech

Spammers a tentarem se autenticar via SASL?

Já verificou o fluxo de correio no seu EFA?
Pode o fazer da seguinte forma:

sudo tailf /var/log/maillog

Reparou em algo estranho do género:

Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:53 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure

É porque provavelmente esta a receber um ataque “Brute Force”.

Nem sempre é fácil lidar com estes problemas mas certamente que os podemos mitigar.

O programa fail2ban dá uma grande ajuda neste campo, bloqueando IPs com mais de x tentativas de logins nos mais diversos serviços.
Vamos então configurar o fail2ban na nossa Apliance EFA e colocar estes spammers de castigo durante umas horas.

Instale o fail2ban na apliance EFA:

sudo yum install fail2ban

Copie o ficheiro jail.conf para o jail.local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edite o ficheiro jail.local de acordo com as suas necessidades

[INCLUDES]

#before = paths-distro.conf
before = paths-fedora.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command 
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
# 86400 = 24h
bantime  = 43200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
#findtime  = 600
# 43200 = 12h
findtime  = 86400

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = no

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = administrator@mydomain.tld

# Sender email address used solely for some actions
sender = fail2ban

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
#mta = sendmail
mta = mail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

#disabled the action with _MWL as that sends out emails :-/
#action = %(action_mwl)s
action = %(action_)s


#
# Mail servers
#

[postfix]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
action = %(action_mwl)s

[postfix-rbl]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
action = %(action_mwl)s
maxretry = 3

[postfix-sasl]
enabled = true
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

maxretry = 3

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time

[recidive]
#enabled = true
logpath  = /var/log/messages
banaction = %(banaction_allports)s
bantime  = 604800  ; 1 week
findtime = 259200 ; 3 days
maxretry = 3
action = %(action_mwl)s

Edite o ficheiro /etc/fail2ban/filter.d/postfix-rbl.conf para ficar como este

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

Reinicie o fail2ban:

sudo service fail2ban restart

acompanhe o estado no “IPTABLES”:

iptables -nvL --line-numbers | more

acompanhe o estado no “messages”:

tail -f /var/log/messages | grep fail2ban

Confira o fluxo de email e veja o ataque a ser mitigado em “maillog”:

sudo tailf /var/log/maillog

Terá sertamente mais páz de espirito

Ficheiro de exemplo copiado de jail.local

Deixe uma resposta Cancelar resposta

O seu endereço de email não será publicado. Campos obrigatórios marcados com *

Suporte




10 AD antispam at bash BAT Brave Bypass Stateful Firewall CALs certificado Chrome CLAM Clamd Cli cmd cmd kill service crtboot Crypto Desempenho Device CAL directory Dns DNSMASQ DS4300 EFA EFA project ei.cfg email Emulex ESXI esxupdate error codes IP mta Network password postfix shell Ubuntu UBUNTU 16.04 ubuntu 18.04 Upgrade VMWARE windows Windows Server zimbra

  • Fevereiro 2020
  • Junho 2019
  • Maio 2019
  • Abril 2019
  • Dezembro 2018
  • Novembro 2018
  • Outubro 2018
  • Setembro 2018
  • Junho 2018
  • Maio 2018
  • Março 2018
  • Janeiro 2018
  • Dezembro 2017
  • Outubro 2017
  • Agosto 2017
  • Julho 2017



© 2023 Wiki do Mário | Powered by Superbs Personal Blog theme