2

How do I set up fail2ban so that all those pesky pop3 login attempts are taken care of? I am using Ubuntu 9.04 and here's an extract from the pop3 log as I see it in the mails that Logwatch sends:

   LOGIN FAILED, user=Administrador, ip=[::ffff:208.115.212.106]: 8 Time(s)
   LOGIN FAILED, user=Alfredo, ip=[::ffff:208.115.212.106]: 8 Time(s)
   LOGIN FAILED, user=Antonio, ip=[::ffff:208.115.212.106]: 6 Time(s)
   LOGIN FAILED, user=Carmelo, ip=[::ffff:208.115.212.106]: 8 Time(s)
   LOGIN FAILED, user=access, ip=[::ffff:208.115.212.106]: 7 Time(s)
   LOGIN FAILED, user=account, ip=[::ffff:208.115.212.106]: 7 Time(s)
   LOGIN FAILED, user=admin, ip=[::ffff:208.115.212.106]: 5 Time(s)
   LOGIN FAILED, user=angel, ip=[::ffff:208.115.212.106]: 9 Time(s)

EDIT: I think the solution is to simply change the settings in /etc/fail2ban/jail.conf by enabling courier related jails. Could someone verify this?

molidoli
  • 231
  • 4
  • 8

2 Answers2

2

I don't like "fail2ban" because it "lives" in userland and has a lot of "moving parts". If you're using iptables on the machine it's fairly trivial to rate-limit new connections from the same IP address.

iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent --name pop --rsource --update --seconds 60 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent --name pop --rsource --set -j ACCEPT

Assuming you've got higher-up rules in the INPUT chain to allow ESTABLISHED connections through these rules will work to rate-limit incoming new TCP connections to your POP3 port (exceeding 5 in 60 seconds).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    The OP is (was, actually) probably suffering a brute-force attack. Rate-limiting connections is a good practice, but not a good brute-force prevention technique. IDS is the way to go here. Userland log analysis with fail2ban is the next best option. – GnP Nov 28 '14 at 14:34
1

fail2ban is quite flexible, it can react to any expressions in any log files: in /etc/fail2ban/jail.conf you specify where to look (logpath), what to look for (filter) and what to do (action).

In your case you could try the existing filter /etc/fail2ban/filter.d/courierlogin.conf (check the regular expression, maybe you will need to modify it) and an existing action from /etc/fail2ban/action.d/ (see examples in /etc/fail2ban/jail.conf). For example, if you use shorewall:

[pop3]
enabled  = true
filter   = courierlogin
action   = shorewall
logpath  = /var/log/mail.log

I always add known good IPs to ignoreip, so these addresses don't get banned:

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/24 SOME.EXTERNAL.IPS
Igor Kuzmitshov
  • 178
  • 5