0x00 STORY
I haven’t checked mail log after installing dovecot and postfix, since these mailing services runs well without any problem, but recently I found issue on losing mails when sending numerous mails at the same time, then I looked into dovecot and postfix’s configuration thoroughly, however, everything seems to be ok, then I turned to check mail log hoping to find some errors information, at that moment I found tons of SASL authorization fails, so it is time to do something.
0x01 FIREWALLD (Optional)
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
firewalld should be installed on CentOS 7 or higher by default, but if you disabled or remove firewalld, and you want a more flexible way to manage iptables (firewalld is a superset of iptables), you should type in following command to install firewalld:
1 | yum install -y firewalld |
And then you can enable run on boot and start firewalld service by doing this:
1 2 | systemctl enable firewalld systemctl start firewalld |
You can use firewall-cmd to check firewalld’s status and manage firewalld. Here’s some example usage of it:
1 2 3 4 5 6 | firewall-cmd --state # Display status of firewalld firewall-cmd --panic-on # Deny all network packet (panic mode on) firewall-cmd --panic-off # Disable panic mode firewall-cmd --query-panic # Check if panic mode is on firewall-cmd --reload # Reload configuration without restart firewall-cmd --complete-reload # Reload configuration with restart |
Before going into deeper, let me clarify the definition of zones in firewalld.
A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.
https://firewalld.org/documentation/man-pages/firewalld.zones.html
In another word, zone is someplace where specific rules like reject/accept are applied to, zone can be bound to ethernet interface. To know all zones available, check the link above to learn more. Following commands are performed on public zone, which is the most commonly used one.
1 2 3 4 5 | firewall-cmd --zone=public --add-interface=eth0 --permanent # Add eth0 to public zone firewall-cmd --set-default-zone=public # Set default zone to public firewall-cmd --zone=public --add-port=8080/tcp --permanent # Allow tcp packet on port 8080 firewall-cmd --zone=public --add-port=8080/tcp # Allow tcp packet on port 8080, the clear this rule after reboot firewall-cmd --list-all # List all ports and configurations |
In addition, once firewalld is installed, you need to open up SSH port and reload firewalld otherwise you will be blocked from accessing again when you disconnect.
0x02 Fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2ban is a well-known ip black-list software which helps you limit or mitigate impact of brutal force attack, it can be used to protect postfix, dovecot, sshd, wordpress or any software that has log file of failing information.
Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS:
1 | yum install epel-release |
Now you are able to install fail2ban package:
1 | yum install fail2ban |
To start fail2ban on boot and fail2ban service:
1 2 | systemctl enable fail2ban systemctl start fail2ban |
There a two configuration file you could change in order to enable/disable features of fail2ban, they are jail.conf and fail2ban.conf, but it is highly recommended that you use a jail.local and fail2ban.local file to add your customization configuration to fail2ban, by doing this you can be free of configuration file overwritten issue caused by updating package.
1 | vi /etc/fail2ban/jail.d/jail.local |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | [DEFAULT] # here you can determined which ips to be ignored, common's lan ip ignoreip = 127.0.0.1/8 # ban time if ip is determined as malicious (unit is second) bantime = 3600 # time duration in log file to determine a ip's behavior findtime = 600 # max failing attempt to service maxretry = 3 [ssh-iptables] # enable sshd protection (jail) enabled = true # rule file, by setting it "sshd" means using /etc/fail2ban/filter.d/sshd.conf filter = sshd # sshd log file logpath = /var/log/secure # max failing attempt to sshd service maxretry = 3 [dovecot] # enable dovecot jail enable = true logpath = /var/log/secure [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/maillog maxretry = 5 |
To use postfix-sasl jail in above configuration file, you should create /etc/fail2ban/filter.d/postfix-sasl.conf with following content:
1 2 3 4 5 6 | # Fail2Ban filter for postfix authentication failures [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ |
After updating .local file, you can reload fail2ban by:
1 | fail2ban-client reload |
fail2ban-client is a command line tool for fail2ban, there are some example usage of it:
1 2 3 4 | fail2ban-client status # List all jails in fail2ban fail2ban-client status ssh-iptables # List jail details of ssh-iptables fail2ban-client start # Start fail2ban and jail fail2ban-client stop # Stop fail2ban and jail |
0x03 Reference
- https://www.cnblogs.com/operationhome/p/9184580.html
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7
- https://www.fail2ban.org/wiki/index.php/Main_Page
- https://firewalld.org/documentation/man-pages/firewalld.zones.html