fail2ban

Čemu služi : Fail2ban skanira log fajlove kao što su /var/log/auth.log ili /var/log/apache/error_log i zabranjuje IP adrese koje načine previše neuspešnih pokušaja logovanja. On dodaje firewall pravila u cilju odbijanja datih IP adresa. Ova pravila može definisati i sam korisnik. Fail2ban može da čita više log fajlova, kao na primer : sshd ili Apache web server. Za start je potrebno : python, gamin i jedno od : iptables, shorewall ili tcpwrapper.

E sad ja imam mail server sa webmail pristupom, što znači da bi kod mene trebalo da prati Apache, RoundCube, SquirrelMail i Sendmail logove ( u cilju sprečavanja “brute force SMTP authentication attacks”).

Struktura fail2ban fajlova :
/etc/fail2ban/
├── action.d
│ ├── dummy.conf
│ ├── hostsdeny.conf
│ ├── iptables.conf
│ ├── mail-whois.conf
│ ├── mail.conf
│ └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local local je uvek jači od conf definicija!
├── filter.d
│ ├── apache-auth.conf
│ ├── apache-noscript.conf
│ ├── couriersmtp.conf
│ ├── postfix.conf
│ ├── proftpd.conf
│ ├── qmail.conf
│ ├── sasl.conf
│ ├── sshd.conf
│ └── vsftpd.conf
├── jail.conf
└── jail.local local je uvek jači od conf definicija!

Dva *.local fajla ne postoje u startu, njih mi sami pravimo, prema onome što nam treba. Njihov sadržaj je uvek “jači” od onog u *.conf fajlovima. Naravno *.local fajlove ne morate koristiti, sve se može staviti u *.conf fajlove.
Svaki “jail” koji se definiše u jail.conf/local fajlu mora imati definisan istoimeni filter u folderu /etc/fail2ban/filter.d. Za primer Sendmail-a to izgleda ovako :
Fajl /etc/fail2ban/jail.conf (ja nisam postavila jail.local) :
[sendmail]
enabled = true
filter = sendmail
action = iptables-multiport[name=sendmail, port=”pop3,imap,smtp,pop3s,imaps,smtps”, protocol=tcp]
sendmail-whois[name=Sendmail, dest=admin-postmaster, sender=fail2ban]
logpath = /var/log/maillog
maxretry = 3
Fajl /etc/fail2ban/filter.d/sendmail.conf :
[Definition]
failregex = \[\] .*to MTA
\[\], reject.*\.\.\. Relaying denied
(User unknown)\n* \[\]
badlogin: .* \[\] plaintext .* SASL
ignoreregex =

Pokretanje : # service fail2ban start
Provera stanja :
# service fail2ban status
Fail2ban (pid 8929) is running…
Status
|- Number of jail: 2
`- Jail list: sendmail, ssh-iptables

Napomena :
Ne stavljati u dva različita jail-a iste portove, može da generiše vrlo čudne greške vezane za iptables.
Testiranje za SSH konekciju :
Probati sa neke IP adrese falš SSH logovanje više puta od onog koje je navedeno kao maksimalno dozvoljeno. Trebalo bi da je onda sa te IP adrese SSH pristup zabranjem zadati broj sekundi (po default-u 600sec).
Testiranje za SMTP konekciju :
Sa bilo kog drugog računara uraditi :
#telnet IP-adresa-servera 25
Trying IP-adresa-servera…
Connected to IP-adresa-servera.
Escape character is ‘^]’.
220 mail-2008 ESMTP Sendmail 8.13.1/8.13.1; Thu, 20 Dec 2012 14:21:21 +0100
^]
telnet> quit
Connection closed.
Time se na serveru gde je fail2ban, u /var/log/maillog generiše sledeća poruka :
Dec 20 14:21:57 mail-2008 sendmail[21216]: qBKDLLA0078216: mail.kamcatka.net.34.32.10.in-addr.arpa [10.10.10.12] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Ako se to uradi broj puta koji je specificiran, u /var/log/fail2ban.log :
2012-12-20 14:07:26,921 fail2ban.actions: WARNING [sendmail] Ban 10.10.10.12
I zabranjuje se pristup serveru po portu 25, na 600 sekundi (ako default vreme nije menjano).
Posle isteka tog vremena :
2012-12-20 14:25:12,477 fail2ban.actions: WARNING [sendmail] Unban 10.10.10.12
Generalno testiranje
Kako se testiraju pojedinačni filteri :
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sendmail.conf
Use regex file : /etc/fail2ban/filter.d/sendmail.conf
Use log file : /var/log/maillog.2
Results
=======
Failregex
|- Regular expressions:
| [1] \[\] .*to MTA
| [2] \[\], reject.*\.\.\. Relaying denied
| [3] (User unknown)\n* \[\]
| [4] badlogin: .* \[\] plaintext .* SASL
|
`- Number of matches:
[1] 400 match(es)
[2] 118 match(es)
[3] 0 match(es)
[4] 0 match(es)

Ignoreregex
|- Regular expressions:
`- Number of matches:

Summary
=======
Addresses found:
[1]
14.222.40.55 (Tue Dec 18 10:51:01 2012)
…..
[2]
95.27.143.193 (Mon Dec 17 19:36:37 2012)
…..
[3]
[4]

Date template hits:
49050 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s):

Success, the total number of match is 518
However, look at the above section ‘Running tests’ which could contain important
information.