http://oitibs.com/mailcleaner-brute-force-prevention/
If you are running a MailCleaner Anti Spam Gateway in your organization, than chances are good that at least once someone has tried to brute force a sasl login to your server. Below we will configure Fail2ban to easily prevent an sasl brute force attack by blocking the offending IP address after a set number of invalid login attempts. For the purpose of this article, we will be using MailCleaner 2018.02 based on Debian 8 although this method also works on MailCleaner 2017.08. First you will need to install the Fail2ban software and create your base configuration as shown below.
Shell
1 2 3 4 5 6 7 8 | # install fail2ban apt-get install fail2ban # create base config files touch /etc/fail2ban/jail.d/mc-default.local touch /etc/fail2ban/jail.d/mc-exim.local touch /etc/fail2ban/filter.d/mc-exim-filter.local touch /etc/fail2ban/action.d/mc-exim-action.local touch /etc/fail2ban/ip.blocklist.sasl |
Next, you will need to edit your newly created files to reflect the configuration below. Note that we will not be editing Fail2ban’s default configuration. Our mc-default.local below will override the default configuration settings. All other configuration files will be used to build our mc-exim filter. For specific documentaion on each setting, please open and review /etc/fail2ban/jail.conf
mc-default.local
1 2 3 4 5 6 | [DEFAULT] ignoreip = 127.0.0.1/8 destemail = [email protected] sendername = MailCleaner Admin sender = [email protected] action = %(action_mw)s |
mc-default.local above we are setting the action to enable email notification of banned IP’s. If you would prefer not to receive emails on ban actions then please remove the action statement above. Also note that after setting this action, you will receive an email every time the fail2ban service is started or stopped. To disable this behavior please refer to: Disable Fail2ban Service Emails.mc-exim.local
1 2 3 4 5 6 7 8 9 | [mc-exim] enabled = true maxretry = 1 findtime = 3600 bantime = 7890000 port = all filter = mc-exim-filter banaction = mc-exim-action logpath = /var/mailcleaner/log/exim_stage1/mainlog |
mc-exim-filter.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # Fail2Ban filter for exim the spam rejection messages # ## For the SA: Action: silently tossed message… to be logged exim’s SAdevnull option needs to be used. [INCLUDES] # Read common prefixes. If any customizations available — read them from # exim-common.local # before = exim-common.conf [Definition] failregex = \[<HOST>\]: 535 Incorrect authentication data ignoreregex = |
mc-exim-action.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified by Matthew Marable for MailCleaner SASL Permanent Ban # [INCLUDES] before = iptables-blocktype.conf [Definition] actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -j fail2ban-<name> cat /etc/fail2ban/ip.blocklist.sasl | awk ‘/^fail2ban-<name>/ {print $2}’ | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done actionstop = iptables -D <chain> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> actioncheck = actionban = if ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.sasl; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP; echo “fail2ban-<name> <ip>” >> /etc/fail2ban/ip.blocklist.sasl; fi actionunban = [Init] name = sasl port = any protocol = all chain = INPUT |
Once your configuration files are modified as required, simply restart the fail2ban service and take a look at the log at /var/log/fail2ban.log to ensure your newly created configuration is working. Assuming everything is in place and your fail2ban configuration is working, the last thing we need to do is edit the fail2ban startup script located at /etc/init.d/fail2ban as seen below.
fail2ban
1 2 3 4 5 6 7 8 9 10 11 12 13 | #! /bin/sh ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: mailcleaner $local_fs $remote_fs # Required-Stop: mailcleaner $local_fs $remote_fs # Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm # Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start/stop fail2ban # Description: Start/stop fail2ban, a daemon scanning the log files and # banning potential attackers. ### END INIT INFO |
MailCleaner Fail2Ban Configuration
注: Ban list on /etc/fail2ban/ip.blocklist.sasl 封错了在这里解封,或者用fail2ban-client set fail2ban-mc-exim unbanip 123.123.123.123 手动解封指定IP地址
解决: 32 2 * * * /etc/init.d/./fail2ban restart
在计划任务里加入以上命令,在凌晨2点32分重启一下fail2ban即可解决。
基本检查操作:
1) 当修改过配置或表达式时,使用以下命令加载新规则 [fail2ban不工作时也可用]
# fail2ban-client reload
2) 封禁的IP地址存放于 /etc/fail2ban/ip.blocklist.sasl [手动解封后要reload一下]
3) 查看iptables是否正常工作 iptables -L -v -n 列表中DROP会生成有被封禁的IP地址
4) 排错注意/var/log/fail2ban.log
5) 检查正则表达式是否正确 (规则名为mc-exim-filter.local)
fail2ban-regex /var/mailcleaner/log/exim_stage1/mainlog /etc/fail2ban/filter.d/mc-exim-filter.local