A combination of reading this thread and staring at a fail2ban RPM floating around in my development environment brought this on.
It is really only a matter of time before we roll fail2ban into ClearOS Enterprise, and now seems a good time as any to start tuning it for ClearOS. Snort can't be used to catch all of the login shenanigans going on, so implementing fail2ban is a good extra layer of defense. I have built a fail2ban package for hacking around, but there are two things missing:
- A well tested configuration for ClearOS (my first cut is below)
- A way to re-insert the blocked sites when the firewall is restarted (or the system is rebooted)
Suggestions are welcome! I'll certainly push whatever RPM comes out of this to the version 6 build system. I can also add it to the version 5.x repositories too.
It is really only a matter of time before we roll fail2ban into ClearOS Enterprise, and now seems a good time as any to start tuning it for ClearOS. Snort can't be used to catch all of the login shenanigans going on, so implementing fail2ban is a good extra layer of defense. I have built a fail2ban package for hacking around, but there are two things missing:
- A well tested configuration for ClearOS (my first cut is below)
- A way to re-insert the blocked sites when the firewall is restarted (or the system is rebooted)
Suggestions are welcome! I'll certainly push whatever RPM comes out of this to the version 6 build system. I can also add it to the version 5.x repositories too.
# SSH
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root]
logpath = /var/log/secure
maxretry = 5
# ProFTP
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=root]
logpath = /var/log/messages
maxretry = 6
# Mail SASL
[sasl-iptables]
enabled = true
filter = sasl
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=root]
logpath = /var/log/maillog
Share this post:
Responses (32)
-
Accepted Answer
Nick Howitt wrote:
RFC's say that any sending MTA must have a valid PTR record **but** there is no requirement for the PTR record to resolve back to the sending IP. In this case there is a PTR record pointing to loj2.1915.life, but there is no DNS record for loj2.1915.life. It looks like postfix is correctly rejecting the mail. Enabling the jail should pick up the bad messages. Setting maxretry is just a bit more aggressive, but will probably be OK. There is a risk, however. 5xx failure codes are temporary DNS failure codes and there are some of them in the filter. There is a risk you could block valid e-mails which fail because of a temporary DNS issue.
Hi Nick,
Thanks for your reply.
Good to hear that Postfix is correclty rejecting these kind of mail.
I've tried this setup and see fail2ban is picking up the config:
FAIL2BAN.LOG
2022-06-04 17:44:06,499 fail2ban.filter [10881]: INFO [postfix] Found 195.42.247.184 - 2022-06-04 17:44:06
MAIL.LOG
NOQUEUE: reject: RCPT from unknown[195.42.247.184]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [195.42.247.184]; from=<mail@willy-wong.com> to=<xxxx@mydomain.nl> proto=ESMTP helo=<mail.elektrograph.de>
i'll try this for the next few days and check the log frequently -
Accepted Answer
RFC's say that any sending MTA must have a valid PTR record **but** there is no requirement for the PTR record to resolve back to the sending IP. In this case there is a PTR record pointing to loj2.1915.life, but there is no DNS record for loj2.1915.life. It looks like postfix is correctly rejecting the mail. Enabling the jail should pick up the bad messages. Setting maxretry is just a bit more aggressive, but will probably be OK. There is a risk, however. 5xx failure codes are temporary DNS failure codes and there are some of them in the filter. There is a risk you could block valid e-mails which fail because of a temporary DNS issue. -
Accepted Answer
Hi
I know this is an old thread, but i think my question is related to the content.
I see in my mail.log time to time a lot of these messages.
May 29 18:10:36 pdebrabander postfix/smtpd[49607]: warning: hostname loj2.1915.life does not resolve to address 185.176.220.124
May 29 18:10:36 pdebrabander postfix/smtpd[49607]: connect from unknown[185.176.220.124]
May 29 18:10:36 pdebrabander postfix/smtpd[49607]: NOQUEUE: reject: RCPT from unknown[185.176.220.124]: 450 4.1.8 <return@loj2.1915.life>: Sender address rejected: Domain not found; from=<return@loj2.1915.life> to=<patrick@pdebrabander.nl> proto=ESMTP helo=<loj2.1915.life>
May 29 18:10:36 pdebrabander postfix/smtpd[49607]: disconnect from unknown[185.176.220.124]
May 29 18:10:37 pdebrabander postfix/smtpd[49607]: warning: hostname loj2.1915.life does not resolve to address 185.176.220.124
May 29 18:10:37 pdebrabander postfix/smtpd[49607]: connect from unknown[185.176.220.124]
May 29 18:10:37 pdebrabander postfix/smtpd[49607]: NOQUEUE: reject: RCPT from unknown[185.176.220.124]: 450 4.1.8 <return@loj2.1915.life>: Sender address rejected: Domain not found; from=<return@loj2.1915.life> to=<patrick@pdebrabander.nl> proto=ESMTP helo=<loj2.1915.life>
May 29 18:10:37 pdebrabander postfix/smtpd[49607]: disconnect from unknown[185.176.220.124]
May 29 18:10:38 pdebrabander postfix/smtpd[49607]: warning: hostname loj2.1915.life does not resolve to address 185.176.220.124
May 29 18:10:38 pdebrabander postfix/smtpd[49607]: connect from unknown[185.176.220.124]
May 29 18:10:38 pdebrabander postfix/smtpd[49607]: NOQUEUE: reject: RCPT from unknown[185.176.220.124]: 450 4.1.8 <return@loj2.1915.life>: Sender address rejected: Domain not found; from=<return@loj2.1915.life> to=<patrick@pdebrabander.nl> proto=ESMTP helo=<loj2.1915.life>
May 29 18:10:38 pdebrabander postfix/smtpd[49607]: disconnect from unknown[185.176.220.124]
May 29 18:10:39 pdebrabander postfix/smtpd[49607]: warning: hostname loj2.1915.life does not resolve to address 185.176.220.124
May 29 18:10:39 pdebrabander postfix/smtpd[49607]: connect from unknown[185.176.220.124]
May 29 18:10:39 pdebrabander postfix/smtpd[49607]: NOQUEUE: reject: RCPT from unknown[185.176.220.124]: 450 4.1.8 <return@loj2.1915.life>: Sender address rejected: Domain not found; from=<return@loj2.1915.life> to=<patrick@pdebrabander.nl> proto=ESMTP helo=<loj2.1915.life>
May 29 18:10:39 pdebrabander postfix/smtpd[49607]: disconnect from unknown[185.176.220.124]
Not sure if this is something to worry about, but i'm trying to get the server better secured.
I've installed fail2ban, but i don't see this IP being blocked, maybe because fail2ban is only blocking on postfix-sasl
No i've added in : /etc/fail2ban/jail.d a file : clearos-postfix.conf
# This file is controlled by the ClearOS API, please do not edit!
# If you would like to customize parameters, add a new configlet file.
[postfix]
enabled = true
maxretry = 2
bantime = 432000
findtime = 14400
Not sure if this will work or not or it will break other things
Please comment if i can secure the server with a better methode for these kind of attacks
Thanks -
Accepted Answer
For http filtering I have the following in /etc/fail2ban/jail.local:
and in /etc/fail2ban/filter.d/apache-nohome.local I have:[apache-nohome]
enabled = true
filter = apache-nohome
action = iptables-multiport[name=apache-nohome, port="80,443"]
logpath = /var/log/httpd/*error_log
maxretry = 1
bantime = 604800
findtime = 172800
Note I use local files to override the conf files. I also sometimes struggle with their regex filters so you'll see that mine is somewhat simpler without so much at the beginning of the expression. It may, therefore, be more cpu intensive but I don't know. All I am trying to do is pick up the probes I see (vtigercrm is the most common) without killing someone (me) making a simple typo as I activate the block on the first occurrence.[Definition]
failregex = ^.* \[error\] \[client <HOST>\] File does not exist: .*\/(vtigercrm|admin|recordings|cgi-bin)$ -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Wiljon Saarloos wrote:
Is this package still maintained?
Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
Requires: ed
Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
Requires: gamin-python
Br,
Wiljon
Found the solution:
Needed to install gamin-python and ed first manualy;
yum install gamin-python --enablerepo=clearos-core
yum install ed --enablerepo=clearos-core
After this fail2ban would install without a glitch:
yum install fail2ban --enablerepo=clearos-epel
Br,
Wiljon -
Accepted Answer
Is this package still maintained?
Get the folowing if I try to install fail2ban on ClearOS 6.5
yum install fail2ban --enablerepo=clearos-epel
--> Finished Dependency Resolution
Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
Requires: ed
Error: Package: fail2ban-0.8.14-1.el6.noarch (clearos-epel)
Requires: gamin-python
Br,
Wiljon -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
yaye wrote:
Speaking of Fail2ban, from the CentOS 6.4 release notes:
An upgrade of existing installations of CentOS-6 can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. In turn this fact may break 3rd party applications (such as fail2ban). The bug was reported upstream . A workaround is to run
restorecon -v /sbin/ip*-multi-1.4.7
This may affect ClearOS 6.x users running fail2ban, once the upgrade to version 6.4 is out.
Arrgghhhhhhhhhhh poo, could disable SEL really prefer not to. -
Accepted Answer
Speaking of Fail2ban, from the CentOS 6.4 release notes:
An upgrade of existing installations of CentOS-6 can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. In turn this fact may break 3rd party applications (such as fail2ban). The bug was reported upstream . A workaround is to run
restorecon -v /sbin/ip*-multi-1.4.7
This may affect ClearOS 6.x users running fail2ban, once the upgrade to version 6.4 is out. -
Accepted Answer
-
Accepted Answer
Tim,
If you are using IMAPS and POP3S for mail sending using SSL authentication, I suspect the port command should change from
toport=smtp,pop3
?port=smtp,pop3s,imaps
One thing confuses me. The port 465 has to be open for IMAPS mail sending using SSL. So that port isn't the same as IMAPS (993). Does the above port command with IMAPS cover that port too?
I've googled this but not found an answer. Is this supposed to be changed somewhere else?
Thanks. -
Accepted Answer
Tim Burgess wrote:
Yes - I was pointing out that the IP was blocked quickly, but only for port 25, not POP3. That's why you see the other log entries, because the IP was still able to get to your POP3 service. The only way to confirm this is to check what commands you have in your jails.conf file
I'm sorry, Tim. I couldn't come back to this earlier (health problem). I added pop3 protocol and, as far as I know, pop3 abusive connections are now triggering the ban. Strangely, since I made the change there was only one attempt and its IP was blocked correctly. Thanks for the settings you published.
Kind regards,
Artur
===
deleted - unnecessary
=== -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Artur, what Fail2ban jails are you using? your log shows attempted connections to POP3 not SMTP...Fail2ban in my examples on the previous page was for SMTP only, and therefore Fail2ban would only block on that particular port
It can of course be modified:-
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-multiport[name=sasl, port="smtp,pop3", protocol=tcp]
sendmail-whois[name=sasl, dest=root]
logpath = /var/log/maillog -
Accepted Answer
Hi, I think Pete is rolling this up into a build for ClearOS - I don't know if he intends to make it customisable from the webconfig. If not then I may have a go
To prevent loss of the fail2ban tables after a firewall restart I also added to /etc/rc.d/rc.firewall.local
/sbin/service fail2ban condrestart
Then edited /etc/rc.d/init.d/fail2ban and added to permit a conditional restart
condrestart)
getpid
if [ -n "$pid" ]; then
$0 stop
$0 start
RETVAL=$?
fi
;;
Now if only I could figure out why it won't manually block an IP using fail2ban-client, then I have a script which exports the existing blocks when it shuts down, and then attempts to reblock them on startup -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Peter - i've been messing around with Fail2ban (based on the EPEL version 0.8.4) and need to make the following regex filter adjustments so that they are compatible with the way ClearOS logs, and to make sure it picks up the Flexshares FTP / web
/etc/fail2ban/jail.conf
ignoreip = 127.0.0.1
# add other subnets to prevent your LAN being blocked? 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root]
logpath = /var/log/secure
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables-multiport[name=ProFTPD, port="ftp,2121"]
sendmail-whois[name=ProFTPD, dest=root]
logpath = /var/log/secure
[sasl-iptables]
enabled = true
filter = sasl
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=root]
logpath = /var/log/maillog
[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=postfix, port=25, protocol=tcp]
sendmail-whois[name=postfix, dest=root]
logpath = /var/log/maillog
/etc/fail2ban/filter.d/sasl.conf
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
/etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
/etc/fail2ban/filter.d/proftpd.conf
failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION.)*login attempted(.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$ -
Accepted Answer
nano /etc/ssh/sshd_config
from mine
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 2222
#Protocol 2,1
Protocol 2
once your done
/etc/init.d/ssh restart
now connect to ssh with the port prefix
ssh -p2222 mycleardomain.com -l sshenableduser
Or use @ -
Accepted Answer
Peter Baldwin wrote:
Thanks for the tips!
You're welcome.
PS there is an "SSH Server" app that will appear in the next beta. It lets adminstrators tweak:
- The port number (with a little helper to remind users about the firewall)
- Root login policy
- Password policy (i.e. allow key-based authentication only)
Great, but if this continues, I'll forget how to use nano. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »