EFA (Email Filter Appliance) + FAIL2BAN

Posted on by tech

Spammers a tentarem se autenticar via SASL?

Já verificou o fluxo de correio no seu EFA?
Pode o fazer da seguinte forma:

sudo tailf /var/log/maillog

Reparou em algo estranho do género:

Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
Dec 20 14:43:53 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure

É porque provavelmente esta a receber um ataque “Brute Force”.

Nem sempre é fácil lidar com estes problemas mas certamente que os podemos mitigar.

O programa fail2ban dá uma grande ajuda neste campo, bloqueando IPs com mais de x tentativas de logins nos mais diversos serviços.
Vamos então configurar o fail2ban na nossa Apliance EFA e colocar estes spammers de castigo durante umas horas.

Instale o fail2ban na apliance EFA:

sudo yum install fail2ban

Copie o ficheiro jail.conf para o jail.local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edite o ficheiro jail.local de acordo com as suas necessidades

[INCLUDES]

#before = paths-distro.conf
before = paths-fedora.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command 
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
# 86400 = 24h
bantime  = 43200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
#findtime  = 600
# 43200 = 12h
findtime  = 86400

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = no

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = administrator@mydomain.tld

# Sender email address used solely for some actions
sender = fail2ban

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
#mta = sendmail
mta = mail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

#disabled the action with _MWL as that sends out emails :-/
#action = %(action_mwl)s
action = %(action_)s


#
# Mail servers
#

[postfix]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
action = %(action_mwl)s

[postfix-rbl]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
action = %(action_mwl)s
maxretry = 3

[postfix-sasl]
enabled = true
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

maxretry = 3

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time

[recidive]
#enabled = true
logpath  = /var/log/messages
banaction = %(banaction_allports)s
bantime  = 604800  ; 1 week
findtime = 259200 ; 3 days
maxretry = 3
action = %(action_mwl)s

Edite o ficheiro /etc/fail2ban/filter.d/postfix-rbl.conf para ficar como este

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

Reinicie o fail2ban:

sudo service fail2ban restart

acompanhe o estado no “IPTABLES”:

iptables -nvL --line-numbers | more

acompanhe o estado no “messages”:

tail -f /var/log/messages | grep fail2ban

Confira o fluxo de email e veja o ataque a ser mitigado em “maillog”:

sudo tailf /var/log/maillog

Terá sertamente mais páz de espirito

Ficheiro de exemplo copiado de jail.local

Deixe uma resposta

O seu endereço de email não será publicado.