Coding, Web, Hydrology and more.

Utilizing fail2ban to Protect SSHD & Mail Service on CentOS


0x00 STORY

I haven’t checked mail log after installing dovecot and postfix, since these mailing services runs well without any problem, but recently I found issue on losing mails when sending numerous mails at the same time, then I looked into dovecot and postfix’s configuration thoroughly, however, everything seems to be ok, then I turned to check mail log hoping to find some errors information, at that moment I found tons of SASL authorization fails, so it is time to do something.

0x01 FIREWALLD (Optional)

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

firewalld should be installed on CentOS 7 or higher by default, but if you disabled or remove firewalld, and you want a more flexible way to manage iptables (firewalld is a superset of iptables), you should type in following command to install firewalld:

And then you can enable run on boot and start firewalld service by doing this:

You can use firewall-cmd to check firewalld’s status and manage firewalld. Here’s some example usage of it:

Before going into deeper, let me clarify the definition of zones in firewalld.

A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.

In another word, zone is someplace where specific rules like reject/accept are applied to, zone can be bound to ethernet interface. To know all zones available, check the link above to learn more. Following commands are performed on public zone, which is the most commonly used one.

In addition, once firewalld is installed, you need to open up SSH port and reload firewalld otherwise you will be blocked from accessing again when you disconnect.

0x02 Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2ban is a well-known ip black-list software which helps you limit or mitigate impact of brutal force attack, it can be used to protect postfix, dovecot, sshd, wordpress or any software that has log file of failing information.

Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS:

Now you are able to install fail2ban package:

To start fail2ban on boot and fail2ban service:

There a two configuration file you could change in order to enable/disable features of fail2ban, they are jail.conf and fail2ban.conf, but it is highly recommended that you use a jail.local and fail2ban.local file to add your customization configuration to fail2ban, by doing this you can be free of configuration file overwritten issue caused by updating package.


To use postfix-sasl jail in above configuration file, you should create /etc/fail2ban/filter.d/postfix-sasl.conf with following content:

After updating .local file, you can reload fail2ban by:

fail2ban-client is a command line tool for fail2ban, there are some example usage of it:

0x03 Reference


About the author


[stay(d) for d in ('determined','diligent','devoted')]

By EDLinus
Coding, Web, Hydrology and more.