GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Connect » Fail2Ban and IPtables (Debian 9 with F2B, iptables and Kerion Connect .... nearly there, but struggling a bit :-))
icon5.gif  Fail2Ban and IPtables [message #146000] Wed, 19 June 2019 13:37 Go to next message
dhardyuk is currently offline  dhardyuk
Messages: 18
Registered: May 2019
Hello,

I have been migrating from Kerio Connect on Windows to Debian. So far everything has been going well and users are happy - server is up, using fewer resources and nice and fast.

I'm now in the process of implementing Fail2Ban to staunch the flow of login attempts that are filling the logs.

I googled and found an old guide to implementing F2B with Kerio Connect on Debian, which has been very helpful, and along the way I discovered a kerio.conf file in /etc/fail2ban/filter.d/

Now, I didn't create this file so I'm assuming that it is part of the base Debian image that ArubaCloud.com use (its also on the ArubaCloud swing server that I used for the migration). The original file has some ^ characters that I removed and that is now working nicely.

To get Fail2Ban started I had to tweak the security log settings in the Kerio Connect admin portal to get it to log to syslog on the local server, as per the very old guide at hxxp://aplawrence.com/Kerio/fail2ban.html and tweak the date format in the Global Directives part of the /etc/rsyslog.conf file:

Original rsyslog.conf

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

My updated rsyslog.conf

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Mytemplate,"%$year%-%$month%-%$day% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogseverity-text:0:3:uppercase% %msg%\n"

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*


Original kerio.conf

# Fail2ban filter for kerio

[Definition]

failregex = ^ SMTP Spam attack detected from <HOST>,
            ^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S$
            ^ Relay attempt from IP address <HOST>
            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address$

ignoreregex =

[Init]

datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]

# DEV NOTES:
#
# Author: A.P. Lawrence
#
# Based off: hxxp://aplawrence.com/Kerio/fail2ban.html

My updated kerio.conf

# Fail2ban filter for kerio

[INCLUDES]
before = common.conf

[Definition]
failregex = SMTP Spam attack detected from <HOST>,
            Failed SMTP login from <HOST> with SASL method LOGIN.
            IP address <HOST> found in DNS blacklist
            Relay attempt from IP address <HOST>
            Attempt to deliver to unknown recipient .*,.*, IP address <HOST>
            SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>.

# I added this line into the expression above ---^
# SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>.
# and commented out these original lines below ---v

#
#failregex = ^ SMTP Spam attack detected from <HOST>,
#            ^ Failed SMTP login from <HOST> with SASL method LOGIN.
#            ^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
#            ^ Relay attempt from IP address <HOST>
#            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
#

ignoreregex =

[Init]

#datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]

# DEV NOTES:
#
# Author: A.P. Lawrence
#
# Based off: hxxp://aplawrence.com/Kerio/fail2ban.html

When I ran tail -f /var/log/fail2ban.log I noticed that Fail2Ban was correctly finding the right details and adding them to the iptables block list, but finding them again and noting that they were already banned - ergo, they were going into the ban list and the banlist was growing but iptables wasn't actually doing anything with it, so the bans were not effective.

At this point I realised that I need to enable iptables and get it running with a configuration that a) isn't going to lock me out and b) won't break any Kerio Connect services.

So, back to Google and I found this guide to getting started with a Debian 9 firewall: hxxps://oitibs.com/easy-debian-9-server-firewall/

Now the gritty bit, I want to have all of the Kerio ports open whilst getting a comprehensive wall of Fail2Ban protection against the SSH and SMTP brute forcing attempts.

Current rules.v4 file
# Generated by iptables-save v1.6.0 on Wed Jun 19 11:01:30 2019
*filter
:INPUT ACCEPT [1769:334135]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1650:243981]
:f2b-kerio - [0:0]
:f2b-ssh - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m multiport --dports 143,25,993,465,587,110,119,563,389,636,80,443,5222,5223,4040 -j f2b-kerio
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-kerio -s 64.38.239.83/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 185.137.111.129/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 185.137.111.96/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 185.137.111.136/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 185.137.111.125/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 45.13.39.123/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -s 186.224.79.172/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-kerio -j RETURN
-A f2b-ssh -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Wed Jun 19 11:01:30 2019
So I started adding Kerio ports to the /etc/iptables/rules.v4 conf file and promptly broke it every time, so I fixed that by overwriting the rules.v4 file with the entries from hxxps://oitibs.com/easy-debian-9-server-firewall/ and then running
invoke-rc.d netfilter-persistent save
to get back to a basic config.

This is where I'm struggling a little: If there are more than 15 port numbers listed in the line:
-A INPUT -p tcp -m multiport --dports 143,25,993,465,587,110,119,563,389,636,80,443,5222,5223,4040 -j f2b-kerio
then iptables wont start. So, ok, I thinned out the 8800 and 8843 ports and will turn them off in Kerio Connect if I can't work out the right way to include them. I'm also a little concerned that I have got the structure of the rules.v4 file a little confused as f2b-kerio is clearly part of the things Fail2Ban does, so I need to understand where and how the default Kerio Connect ports need to be listed so that IPtables is configured properly and plays nicely with Fail2ban.

I'm going to be doing a chunk more reading today and will update this post with my findings so that hopefully it will be of some use to others. Also, if you have this already solved on your servers please don't be shy about correcting my errors (or sharing your working configs).

Thanks

David


Re: Fail2Ban and IPtables [message #146006 is a reply to message #146000] Wed, 19 June 2019 20:42 Go to previous messageGo to next message
Bud Durland is currently offline  Bud Durland
Messages: 512
Registered: December 2013
Location: Plattsburgh, NY
Can you describe the environment? Where are the users of the server located (local, remote via VPN, remote via open internet, etc)? What clients are in use?
Re: Fail2Ban and IPtables [message #146012 is a reply to message #146006] Thu, 20 June 2019 20:16 Go to previous messageGo to next message
dhardyuk is currently offline  dhardyuk
Messages: 18
Registered: May 2019
Hi Bud,

Its Kerio Connect 9.2.10 beta 1 (4579) on Debian GNU/Linux 9.9, x86_64 hosted directly on the public internet. The server has a public IP, does not have any other IP addresses and is not behind a firewall. All users are accessing the server over the internet.

All the users have iPhones with the iOS mail client configured via Activesync. Some of the users also connect to webmail and I am using the Kerio Outlook Connector on Outlook 2016. All users have a free choice to use any of webmail, Outlook via ActiveSync, Outlook via KOC, Outlook on their iPhones or Imap with any other clients.

My aim is to reduce the disk space impact of endless brute force attempts filling the logs. Ideally every attempt will count towards the fail2ban threshold which will then block the source IP from connecting for 60 minutes now, rising to 168 hours once I'm sure its working properly.

I have noticed the logs being filled with SMTP SASL login attempts, SSH attempts (SSH is key based so I'm not worried about that).

Re: Fail2Ban and IPtables [message #146017 is a reply to message #146012] Thu, 20 June 2019 23:23 Go to previous message
Bud Durland is currently offline  Bud Durland
Messages: 512
Registered: December 2013
Location: Plattsburgh, NY
No doubt others have counseled you on the inadvisability of having the server connected directly to the internet, so I won't. Given that, your plan of attack is probably about the best way to go, but I suspect very large log files are going to be a way of life.
Previous Topic: Folders moving ON THEIR OWN -HELP!
Next Topic: nested groups
Goto Forum:
  


Current Time: Sun Sep 22 07:46:28 CEST 2019

Total time taken to generate the page: 0.02369 seconds