20 novembre 2022 Roberto Puzzanghera 0 commenti
Fail2ban ispeziona i log file (ad es. /var/log/apache/error_log) e banna IPs che mostrano un comportamento sospetto -- troppe password sbagliate, tentativi di exploits, etc. Generalmente Fail2Ban è quindi usato per aggiornare le regole del firewall al fine di rigettare gli indirizzi IP durante un intervallo di tempo settabile, benchè ogni altra azione (come l'invio di una mail di notifica) può anche altresì essere impostata. Tra le altre cose Fail2Ban mette a disposizione dei filtri per diversi servizi come apache, courier, ssh, etc.
Mostrerò brevemente come installare e configurare fail2ban
per rigettare le connessioni di IP sospetti, specialmente quelli riguardanti la patch qmail-dnsrbl
. Ciò evita di essere bannati noi stessi da spamhaus
, che è gratuito solo fino a 100.000 query al giorno.
fail2ban
richiede che si abbia un firewall come nftables
o iptables
attivo.
nftables
, as it has now replaced iptables
and fail2ban
has support for it. Just replace "iptables" with "nftables" in your jails.fail2ban
upgraded to v. 1.0.2cd /usr/local/src wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/1.0.2 --output-document=fail2ban-1.0.2.tar.gz tar xvjf fail2ban-0.11.2.tar.bz2 cd fail2ban-1.0.2 chown -R root.root . ./setup.py install
Al fine di avviare il server si può usare uno script reperibile nella cartella files/
della directory sorgente, dove se ne potrà trovare uno adatto alla propria distribuzione linux. Io uso questo (scarica qui) che non ricordo più dove ho trovato:
#!/bin/sh # # Copyright (c) 2008-2013, Nishant Limbachia, Hoffman Estates, IL, USA # # /usr/local/bin/rc.fail2ban # # start|stop|restart|reload|status|ping fail2ban server # # To start fail2ban automatically at boot, make this file executable: # chmod 755 /usr/local/bin/fail2banctl # you must also add this to rc.local for fail2ban to start during boot. # default socket file is /var/run/fail2ban/fail2ban.sock which can be # changed via the config file: /etc/fail2ban/fail2ban.conf fail2ban_start() { if [ -x /usr/local/bin/fail2banctl ]; then echo "Starting fail2ban: " ### using -x option to remove any stale socket file. /usr/bin/fail2ban-client -x start fi } fail2ban_stop() { echo "Stopping fail2ban" /usr/bin/fail2ban-client stop } fail2ban_reload() { echo "Reloading fail2ban" /usr/bin/fail2ban-client reload } fail2ban_status() { echo "Status: fail2ban" /usr/bin/fail2ban-client status } fail2ban_ping() { echo "Pinging fail2ban" /usr/bin/fail2ban-client ping } case "$1" in 'start') fail2ban_start ;; 'stop') fail2ban_stop ;; 'restart') fail2ban_stop sleep 5 fail2ban_start ;; 'reload') fail2ban_reload ;; 'status') fail2ban_status ;; 'ping') fail2ban_ping ;; *) echo "USAGE: $0 start|stop|restart|reload|status|ping" exit 1 ;; esac
Copiamo questo script in /usr/local/bin/
o dove meglio si ritiene opportuno in funzione della distribuzione usata, lanciamolo e ricordiamoci di lanciarlo anche all'avvio della macchina:
cd /usr/local/bin wget https://notes.sagredo.eu/files/qmail/fail2banctl chmod +x fail2banctl fail2banctl start
Copiare il logrotate script dalla cartella di installazione citata sopra come segue:
cd /etc/logrotate.d cp /usr/local/src/fail2ban-x.x.x/files/fail2ban-logrotate fail2ban
Per comprendere la terminologia e come veramente funziona fail2ban
è consigliabile almeno la lettura del manuale ufficiale, che è conciso e di facile lettura.
E' una buona regola non modificare mai i file /etc/fail2ban/*.conf
, ma editare un file personalizzato con estensione .local
, che sarà letto dal server dopo ogni file .conf
per sovrascrivere eventualmente le righe di codice modificate.
cd /etc/fail2ban cp jail.conf jail.local
Abilitare i jails secondo le proprie intenzioni.
Questo è ciò che ho io nel mio jail.local
, per quanto riguarda la parte qmail/dovecot
:
[qmail-smtp] enabled = true filter = qmail-smtp action = nftables[type=multiport, name=SMTP, port="25,465,587"] sendmail-whois-lines[name=SMTP, logpath="%(logpath)s"] logpath = /var/log/qmail/smtpd/current maxretry = 5 bantime = 1d findtime = 1h [qmail-submission] enabled = true filter = qmail-smtp action = nftables[type=multiport, name=SUBMISSION, port="25,465,587"] sendmail-whois-lines[name=SUBMISSION, logpath="%(logpath)s"] logpath = /var/log/qmail/submission/current maxretry = 5 bantime = 1d findtime = 1h [vpopmail] enabled = true filter = vpopmail action = nftables[type=multiport, name=VPOPMAIL, port="25,465,587"] sendmail-whois-lines[name=VPOPMAIL, logpath="%(logpath)s"] # check your syslog mail related log (mail.log in some systems) logpath = /var/log/maillog maxretry = 5 bantime = 1d findtime = 1h [qmailadmin] enabled = true filter = qmailadmin action = nftables[type=multiport, name=QMA, port="80,443"] sendmail-whois-lines[name=QMA, logpath="%(logpath)s"] logpath = /var/log/qma-auth.log maxretry = 4 bantime = 1d findtime = 1h [roundcube-auth] enabled = true filter = roundcube-auth action = nftables[type=multiport, name=RC, port="80,443"] sendmail-whois-lines[name=RC, logpath="%(logpath)s"] logpath = /var/www/roundcube/logs/userlogins.log maxretry = 4 bantime = 1d findtime = 1h [dovecot-pop3] enabled = true filter = dovecot action = nftables[type=multiport, name=POP3, port="993,995"] sendmail-whois-lines[name=POP3, logpath="%(logpath)s"] logpath = /var/log/dovecot/dovecot.log maxretry = 6 bantime = 1h findtime = 1h [dovecot-imap] enabled = true filter = dovecot action = nftables[type=multiport, name=IMAP, port="993,995"] sendmail-whois-lines[name=IMAP, logpath="%(logpath)s"] logpath = /var/log/dovecot/dovecot.log maxretry = 6 bantime = 1h findtime = 1h
Come si può notare, ci sono tre jail, quindi fail2ban
andrà a leggere i file qmail-smtp.conf
, vpopmail.conf
e dovecot.conf
sotto la directory filter.d
. Mostrerò il contenuto di questi file più sotto in questa pagina.
Il jail qmail-smtp
è abbinato al filtro omonimo "qmail-smtp", che intercetta le righe di "qloenvelope
", che sostanzialmente registra ogni tipo di respingimento. Il filtro deve essere dichiarato nel file filter.d/qmail-smtp.conf
.
Allo stesso modo, il jail vpopmail
cercherà di respingere i clients che cercano di indovinare le password degli utentinella porta 587, mentre il jail dovecot
farà lo stesso per quanto concerne imap/pop3
.
Ricordarsi di aggiungere l'IP del proprio server e ogni altro IP fidato nella sezione DEFAULT, per evitare di bannare se stessi specialmente nel caso quache malintenzionato utilizzasse si mascherasse sotto il nostro stesso IP (spoofing):
[DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 10.0.0.1/8 91.121.144.116
Questo è il contenuto dei file con i filtri:
# Fail2Ban filters for qmail-smtp patched for qmail-dnsbl (http://qmail-dnsbl.sourceforge.net), chkuser (http://opensource.interazioni.it/qmail/chkuser.html) and greetdelay # # Here is an example of log lines that this filter is going to hit: # # @40000000545076ad1de678ec GREETDELAY from 77.65.15.93: client sent data before greeting # qmail-smtpd: read failed: (null) from 95.141.38.94 to (null) helo host220-227-149-62.serverdedicati.aruba.it # @4000000055154dc40e884894 qmail-smtpd: timeout: (null) from 95.141.38.94 to (null) helo host220-227-149-62.serverdedicati.aruba.it # # All lines concerning chkuser, qmail-dnsbl and others like these are now catched by the qlogenvelope line (I'll keep commented the old filter) # # @4000000059f5194706e649ec CHKUSER accepted sender: from <sender@remotedomain.xy|remoteinfo/auth:|chkuser-identify:> remote <helo:free-112-191.mediaworksit.net|remotehostname:unknown|remotehostip:95.140.112.191> rcpt <> : sender accepted # @4000000059f519470be7b0fc CHKUSER accepted rcpt: from <sender@remotedomain.xy|remoteinfo/auth:|chkuser-identify:> remote <helo:free-112-191.mediaworksit.net|remotehostname:unknown|remotehostip:95.140.112.191> rcpt <localuser@localdomain.xy> : found existing recipient # @4000000059f519470be860c4 qmail-smtpd[20003]: rcptcheck: checking <localuser@localdomain.xy> at 95.140.112.191 # @4000000059f519470c084ca4 qmail-smtpd[20003]: rcptcheck: ignore address <localuser@localdomain.xy> at 95.140.112.191 # @4000000059f5195c1f6d7e7c qmail-smtpd[20003]: rbl: ip=95.140.112.191 query=191.112.140.95.zen.spamhaus.org result=ignore message='' # @4000000059f5195c211f1294 qmail-smtpd[20003]: rbl: ip=95.140.112.191 query=191.112.140.95.b.barracudacentral.org result=reject message='Client host blocked using Barracuda Reputation, see http://www.barracudanetworks.com/reputation/?r=1&ip=95.140.112.191' # @4000000059f5195c211f2234 qlogenvelope: result=rejected code=553 reason=rblreject detail=b.barracudacentral.org helo=free-112-191.mediaworksit.net mailfrom=sender@remotedomain.xy rcptto=localuser@localdomain.xy relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=95.140.112.191 remoteport=15630 remotehost= qp= pid=20003 # @4000000059f5195c28b8b49c qmail-smtpd: read failed: sender@remotedomain.xy from 95.140.112.191 to localuser@localdomain.xy helo free-112-191.mediaworksit.net # 2022-02-18 16:23:03.719762500 helo-dns-check: blocked with: HELO doesn't match IP [91.121.144.116] # # Be aware that the following regex match only my patched chkuser at https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html # If you are using a standard version of chkuser you can refer to this page for the correct filter: http://wiki.qmailtoaster.com/index.php/Fail2Ban [Definition] failregex = qlogenvelope: result=rejected .* remoteip=<HOST> helo-dns-check: blocked with: .* \[<HOST>\] GREETDELAY from <HOST>: client sent data before greeting qmail-smtpd: reject \(auth not available\): \(null\) from <HOST> ignoreregex = # DEV Notes: # # Author: Roberto Puzzanghera
[Definition] # Jul 10 12:05:53 qmail vpopmail[3076]: vchkpw-submission: vpopmail user not found helpdesk@yourdomain.xy:191.233.70.140 # Jul 22 17:31:46 qmail vpopmail[6383]: vchkpw-submission: password fail (pass: 'dasdas') postmaster@yourdomain.xy:1.2.3.4 failregex = vchkpw-submission: vpopmail user not found .*:<HOST>$ vchkpw-submission: password fail .*:<HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. ignoreregex = # DEV Notes: # # Author: Roberto Puzzanghera
# bans qmailadmin login attempts looking for lines like this # 2015/05/27 15:45:58 user:postmaster@domain.xy ip:1.2.3.4 auth:failed [@domain.xy] # qmailadmin must be patched with http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/qmailadmin/qmailadmin-1.2.16-log.patch # (thanks to Tony) [INCLUDES] before = common.conf [Definition] failregex = ip:<HOST> auth:failed ignoreregex =
Il filtro roundcube-auth.conf
esiste già, quindi lo sovrascriviamo.
# Fail2Ban configuration file for roundcube webmail # # Author: Roberto Puzzanghera # 15/07/2022 # # Log line to match (the 1st one in case of rc behind a firewall) # [12-Jul-2022 08:56:39 +0200]: <3lq5onb8> Failed login for postmaster from 10.0.0.2 (X-Forwarded-For: 2.42.23.100) in session 3lq5onb87b7oqnc7 (error: 1) # [01-Sep-2014 00:07:11 +0200]: IMAP Error: Login failed for sisgri@iol.it from 151.55.133.38. AUTHENTICATE PLAIN: Authentication failed. in /usr/local/www/htdocs/roundcubemail-1.0.2/progr> [INCLUDES] before = common.conf [Definition] failregex = Failed login for from 10.0.0.2 \(X-Forwarded-For: <HOST>\) IMAP Error: (FAILED login|Login failed) for .*? from <HOST>\. ignoreregex =
Il filtro dovecot.conf
esiste già, quindi lo sovrascriviamo
# Fail2Ban filter Dovecot authentication and pop3/imap server # # Jul 22 23:33:29 auth-worker(27283): Info: sql(user@yourdomain.xy:1.2.3.4): Password mismatch # Jul 22 23:33:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<user@yourdomain.xy>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, session=<k2t5+c7+5AAKAAAC> # Jul 22 23:34:04 auth-worker(27283): Info: sql(adminww@yourdomain.xy:1.2.3.4): unknown user # Jul 22 23:34:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<adminww@yourdomain.xy>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, session=<ONqY+87+7gAKAAAC> [Definition] failregex = \(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch) ignoreregex = # DEV Notes: # # Author: Roberto Puzzanghera
Infine sarà il caso di sovrascrivere il file /etc/fail2ban/action.d/sendmail-common.conf
per impostare l'email di destinazione dove inviare gli avvisi
# Fail2Ban configuration file # # Common settings for sendmail actions [Init] # Recipient mail address # dest = postmaster@yourdomain.xy # Sender mail address # sender = fail2ban@yourdomain.xy
Portarsi nella cartella action.d e modificare le action secondo le proprie necessità, copiando prima il file originale in un file.local
Ho modifica la seguente opzione per bloccare tutti i protocolli anzichè il solo tcp
.
protocol = tcp,udp,udplite,sctp
Scrivere in questo file il proprio indirizzo email, ove vogliamo ricevere i report di fail2ban
. to put you destination email here.
Quando si modifica un jail, bisogna ricaricare i jail in questo modo:
fail2banctl reload
oppure
fail2ban-client reload
In questo modo si può ottenere la lista dei jail attivi
# fail2ban-client status Status: fail2ban Status |- Number of jail: 3 `- Jail list: vpopmail, qmail-smtp, dovecot
Prima di rendere attivo un jail è buona abitudine testare la correttezza del filtro creato utilizzando un opportuno file di log in questo modo:
# fail2ban-regex /var/log/qmail/smtpd/current /etc/fail2ban/filter.d/qmail-smtp.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/qmail-smtp.conf Use log file : /var/log/qmail/smtpd/@40000000532f677b088a7854.s Results ======= Failregex: 65 total |- #) [# of hits] regular expression | 1) [58] qmail-smtpd: message rejected \(qmail-dnsbl\) .* from | 2) [3] CHKUSER rejected rcpt: from <.*> remote <.*remotehostip:> .* : not existing recipient$ | 3) [4] CHKUSER rejected relaying: from <.*> remote <.*remotehostip:> .* : client not allowed to relay$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1596] TAI64N `- Lines: 1596 lines, 0 ignored, 65 matched, 1531 missed Missed line(s): too many to print. Use --print-all-missed to print all 1531 lines
fail2ban
with a network bridgeNel caso i servizi siano in una rete locale dietro un network bridge, allora le regole di nftables
devono essere scritte nella catena FORWARD
anzichè nella catena INPUT
, come normalmente fa fail2ban
.
Modificare quindi il proprio file action.d/nftables.local come segue
# Option: chain_hook # Notes.: refers to the kind of chain to be created # Values: [ prerouting | input | forward | output | postrouting ] Default: input # chain_hook = forward # was input
RBL and Bordermailer
20 marzo 2023 09:31
RBL and Bordermailer
20 marzo 2023 09:13
RBL and Bordermailer
18 marzo 2023 15:52
Bug in dknewkey
18 marzo 2023 11:35
What is qq_internal_bug_?
18 marzo 2023 11:28
What is qq_internal_bug_?
18 marzo 2023 11:08
What is qq_internal_bug_?
18 marzo 2023 08:48
What is qq_internal_bug_?
18 marzo 2023 08:08
What is qq_internal_bug_?
18 marzo 2023 07:43
What is qq_internal_bug_?
18 marzo 2023 04:37
Tags
apache clamav dkim dovecot ezmlm fail2ban ftp guide hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl tcprules tex ucspi-tcp vpopmail vqadmin