From 60dc7739514d952a4c1631cd4fb872066fdc608a Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Wed, 16 Nov 2022 16:50:46 -0800 Subject: [PATCH] add fail2ban rules --- etc/fail2ban/action.d/mail-ratelimit.conf | 60 +++++++++++++++++++++++ etc/fail2ban/filter.d/exim-hard.conf | 26 ++++++++++ etc/fail2ban/filter.d/exim-ratelimit.conf | 24 +++++++++ etc/fail2ban/jail.d/dovecot.conf | 5 ++ etc/fail2ban/jail.d/exim-hard.conf | 7 +++ etc/fail2ban/jail.d/exim-ratelimit.conf | 9 ++++ etc/fail2ban/jail.d/exim.conf | 5 ++ install.sh | 35 ++++++++++++- 8 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 etc/fail2ban/action.d/mail-ratelimit.conf create mode 100644 etc/fail2ban/filter.d/exim-hard.conf create mode 100644 etc/fail2ban/filter.d/exim-ratelimit.conf create mode 100644 etc/fail2ban/jail.d/dovecot.conf create mode 100644 etc/fail2ban/jail.d/exim-hard.conf create mode 100644 etc/fail2ban/jail.d/exim-ratelimit.conf create mode 100644 etc/fail2ban/jail.d/exim.conf diff --git a/etc/fail2ban/action.d/mail-ratelimit.conf b/etc/fail2ban/action.d/mail-ratelimit.conf new file mode 100644 index 0000000..73be2c0 --- /dev/null +++ b/etc/fail2ban/action.d/mail-ratelimit.conf @@ -0,0 +1,60 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# + +[Definition] + +# bypass ban/unban for restored tickets +norestored = 1 + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = printf %%b "Hi,\n + An email account exceeded it's rate limit:\n + \n + + \n + Regards,\n + Fail2Ban"|mail -s "[Fail2Ban] " + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Default name of the chain +# +name = exim-ratelimit + +# Destination/Addressee of the mail +# +dest = postmaster diff --git a/etc/fail2ban/filter.d/exim-hard.conf b/etc/fail2ban/filter.d/exim-hard.conf new file mode 100644 index 0000000..5d20f92 --- /dev/null +++ b/etc/fail2ban/filter.d/exim-hard.conf @@ -0,0 +1,26 @@ +# Fail2Ban configuration file +# +# Author: Matthew Saunders Brown +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#failregex = \[\] .*(?:rejected by local_scan|Unrouteable address) + +failregex = .*\(ylmf-pc\) \[\].*rejected EHLO or HELO ylmf-pc + .*rejected RCPT.*\: is listed in.* + .*dovecot_.* authenticator failed for.*\((server\.com|User|USER|ADMIN)\) \[\]:.* 535 Incorrect authentication data.* + .*dovecot_.* authenticator failed for.*\((server\.com|User|USER|ADMIN)\) \[\]:.* 435 Unable to authenticate.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/etc/fail2ban/filter.d/exim-ratelimit.conf b/etc/fail2ban/filter.d/exim-ratelimit.conf new file mode 100644 index 0000000..264982f --- /dev/null +++ b/etc/fail2ban/filter.d/exim-ratelimit.conf @@ -0,0 +1,24 @@ +# Fail2Ban configuration file +# +# Author: Matthew Saunders Brown +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#failregex = \[\] .*(?:rejected by local_scan|Unrouteable address) +# 2022-01-11 02:17:34.576 [2506437] H=162-246-128-31.merlin.ua ([127.0.0.1]) [31.128.246.162]:54324 I=[69.55.235.148]:587 X=TLS1.0:ECDHE_SECP521R1__RSA_SHA1__AES_256_CBC__SHA1:256 CV=no F= A=dovecot_plain:valexcel@inetworld.net rejected RCPT : valexcel@inetworld.net exceeded rate limit of 120 per hour + +failregex = .* \[\]:.* exceeded rate limit of .* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/etc/fail2ban/jail.d/dovecot.conf b/etc/fail2ban/jail.d/dovecot.conf new file mode 100644 index 0000000..05bcaff --- /dev/null +++ b/etc/fail2ban/jail.d/dovecot.conf @@ -0,0 +1,5 @@ +[dovecot] +enabled = true +port = imap2,imap3,imaps,pop3,pop3s +filter = dovecot +logpath = /var/log/mail.log tail diff --git a/etc/fail2ban/jail.d/exim-hard.conf b/etc/fail2ban/jail.d/exim-hard.conf new file mode 100644 index 0000000..d08e056 --- /dev/null +++ b/etc/fail2ban/jail.d/exim-hard.conf @@ -0,0 +1,7 @@ +[exim-hard] +enabled = true +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission +filter = exim-hard +logpath = /var/log/exim4/rejectlog tail +maxretry = 1 +bantime = 86400 diff --git a/etc/fail2ban/jail.d/exim-ratelimit.conf b/etc/fail2ban/jail.d/exim-ratelimit.conf new file mode 100644 index 0000000..b7f3ea6 --- /dev/null +++ b/etc/fail2ban/jail.d/exim-ratelimit.conf @@ -0,0 +1,9 @@ +[exim-ratelimit] +enabled = true +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission +filter = exim-ratelimit +action = mail-ratelimit +logpath = /var/log/exim4/rejectlog tail +maxretry = 1 +findtime = 60 +bantime = 3600 diff --git a/etc/fail2ban/jail.d/exim.conf b/etc/fail2ban/jail.d/exim.conf new file mode 100644 index 0000000..8576b11 --- /dev/null +++ b/etc/fail2ban/jail.d/exim.conf @@ -0,0 +1,5 @@ +[exim] +enabled = true +port = smtp,465,submission +filter = exim +logpath = /var/log/exim4/rejectlog tail diff --git a/install.sh b/install.sh index bda4186..c4e6a74 100755 --- a/install.sh +++ b/install.sh @@ -160,4 +160,37 @@ chmod 644 /usr/local/lib/systemd/system/vmail-cron.* systemctl enable vmail-cron.timer systemctl start vmail-cron.timer -# notes about firewalls +# enable email ports in firewalld +[[ -d /etc/firewalld/ ]]; then + firewall-cmd --permanent --zone=public --add-service=smtp + firewall-cmd --permanent --zone=public --add-service=smtp-submission + firewall-cmd --permanent --zone=public --add-service=smtps + firewall-cmd --permanent --zone=public --add-service=imap + firewall-cmd --permanent --zone=public --add-service=imaps + firewall-cmd --permanent --zone=public --add-service=pop3 + firewall-cmd --permanent --zone=public --add-service=pop3s + firewall-cmd --zone=public --add-service=smtp + firewall-cmd --zone=public --add-service=smtp-submission + firewall-cmd --zone=public --add-service=smtps + firewall-cmd --zone=public --add-service=imap + firewall-cmd --zone=public --add-service=imaps + firewall-cmd --zone=public --add-service=pop3 + firewall-cmd --zone=public --add-service=pop3s +else + echo + echo "firewalld not installed, not opening email ports in firewall." +fi + +# fail2ban +if [[ -d /etc/fail2ban/ ]]; then + chmod 644 etc/fail2ban/*/*.conf + cp -a etc/fail2ban/* /etc/fail2ban/ + sed -i "s|postmaster|postmaster@$maildomain|g" /etc/fail2ban/action.d/mail-ratelimit.conf + echo + echo "Fail2ban rate limit will email postmaster@$maildomain." + echo "Change postmaster@$maildomain in /etc/fail2ban/action.d/mail-ratelimit.conf to suit your needs." +else + echo + echo "fail2ban not installed, skipping fail2ban email configs." + +fi