MailClean使用fail2ban封锁IP

By | 2018-11-27

MailCleaner Brute Force Prevention

If you are running a MailCleaner Anti Spam Gateway in your organization, than chances are good that at least once someone has tried to brute force a sasl login to your server. Below we will configure Fail2ban to easily prevent an sasl brute force attack by blocking the offending IP address after a set number of invalid login attempts. For the purpose of this article, we will be using MailCleaner 2018.02 based on Debian 8 although this method also works on MailCleaner 2017.08. First you will need to install the Fail2ban software and create your base configuration as shown below.

 

Shell

1
2
3
4
5
6
7
8
# install fail2ban
apt-get install fail2ban
# create base config files
touch /etc/fail2ban/jail.d/mc-default.local
touch /etc/fail2ban/jail.d/mc-exim.local
touch /etc/fail2ban/filter.d/mc-exim-filter.local
touch /etc/fail2ban/action.d/mc-exim-action.local
touch /etc/fail2ban/ip.blocklist.sasl

Next, you will need to edit your newly created files to reflect the configuration below. Note that we will not be editing Fail2ban’s default configuration. Our mc-default.local below will override the default configuration settings. All other configuration files will be used to build our mc-exim filter. For specific documentaion on each setting, please open and review /etc/fail2ban/jail.conf

mc-default.local

Shell
vi /etc/fail2ban/jail.d/mc-default.local
1
2
3
4
5
6
[DEFAULT]
ignoreip = 127.0.0.1/8
destemail = [email protected]
sendername = MailCleaner Admin
action = %(action_mw)s
Note: In the mc-default.local above we are setting the action to enable email notification of banned IP’s. If you would prefer not to receive emails on ban actions then please remove the action statement above. Also note that after setting this action, you will receive an email every time the fail2ban service is started or stopped. To disable this behavior please refer to: Disable Fail2ban Service Emails.

mc-exim.local

Shell
vi /etc/fail2ban/jail.d/mc-exim.local
1
2
3
4
5
6
7
8
9
[mc-exim]
enabled = true
maxretry = 1
findtime = 3600
bantime = 7890000
port = all
filter = mc-exim-filter
banaction = mc-exim-action
logpath = /var/mailcleaner/log/exim_stage1/mainlog

mc-exim-filter.local

Shell
vi /etc/fail2ban/filter.d/mc-exim-filter.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Fail2Ban filter for exim the spam rejection messages
#
## For the SA: Action: silently tossed message… to be logged exim’s SAdevnull option needs to be used.
 
[INCLUDES]
 
# Read common prefixes. If any customizations available — read them from
# exim-common.local
# before = exim-common.conf
 
[Definition]
 
failregex =  \[<HOST>\]: 535 Incorrect authentication data
ignoreregex =

mc-exim-action.local

Shell
vi /etc/fail2ban/action.d/mc-exim-action.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Matthew Marable for MailCleaner SASL Permanent Ban
#
[INCLUDES]
 
before = iptables-blocktype.conf
 
[Definition]
 
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -j fail2ban-<name>
              cat /etc/fail2ban/ip.blocklist.sasl | awk ‘/^fail2ban-<name>/ {print $2}’ | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
              
actionstop = iptables -D <chain> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
            
actioncheck =
 
actionban = if ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.sasl; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP; echo “fail2ban-<name> <ip>” >> /etc/fail2ban/ip.blocklist.sasl; fi
            
actionunban =
 
[Init]
 
name = sasl
port = any
protocol = all
chain = INPUT

Once your configuration files are modified as required, simply restart the fail2ban service and take a look at the log at /var/log/fail2ban.log to ensure your newly created configuration is working. Assuming everything is in place and your fail2ban configuration is working, the last thing we need to do is edit the fail2ban startup script located at /etc/init.d/fail2ban as seen below.

fail2ban

Shell
vi /etc/init.d/fail2ban
1
2
3
4
5
6
7
8
9
10
11
12
13
#! /bin/sh
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: mailcleaner $local_fs $remote_fs
# Required-Stop: mailcleaner $local_fs $remote_fs
# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
# Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/stop fail2ban
# Description: Start/stop fail2ban, a daemon scanning the log files and
# banning potential attackers.
### END INIT INFO
MailCleaner Fail2Ban Configuration

注: Ban list on /etc/fail2ban/ip.blocklist.sasl  封错了在这里解封,或者用fail2ban-client set fail2ban-mc-exim unbanip 123.123.123.123 手动解封指定IP地址

问题因为MC晚上升级病毒库与Patch的问题会重启,重启后会导致fail2ban失效
解决: 32 2 * * * /etc/init.d/./fail2ban restart 
在计划任务里加入以上命令,在凌晨2点32分重启一下fail2ban即可解决。

基本检查操作:

1) 当修改过配置或表达式时,使用以下命令加载新规则 [fail2ban不工作时也可用]

     # fail2ban-client reload

2) 封禁的IP地址存放于  /etc/fail2ban/ip.blocklist.sasl  [手动解封后要reload一下]

3) 查看iptables是否正常工作  iptables -L -v -n  列表中DROP会生成有被封禁的IP地址

4) 排错注意/var/log/fail2ban.log 

5) 检查正则表达式是否正确 (规则名为mc-exim-filter.local)

fail2ban-regex /var/mailcleaner/log/exim_stage1/mainlog /etc/fail2ban/filter.d/mc-exim-filter.local

發佈回覆