| Fail2ban for Kerio Connect [message #148130] |
Sun, 17 May 2020 22:02  |
sergey
Messages: 1
Registered: May 2020
|
|
|
|
Hello all!
Please help me with the setting fail2ban for kerio connect. Kerio connect version 9.2.0 (2213), OS Debian 8.4.0_amd64.
rsyslog settings is correct, fail2ban successfully add rule "fail2ban-kerio" to the IPTABLES firewall after starting, but missing log lines. When i executing for inspection a command "fail2ban-regex /var/log/kerio-security.log /etc/fail2ban/filter.d/kerio.conf", printing this listing:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/kerio.conf
Use log file : /var/log/kerio-security.log
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5] MONTH Day Hour:Minute:Second
`-
Lines: 5 lines, 0 ignored, 0 matched, 5 missed
|- Missed line(s):
| May 17 10:42:34 server rsyslog HTTP/WebMail: Invalid password for user user<_at_>domain.com. Attempt from IP address 192.168.88.252.
| May 17 10:42:42 server rsyslog HTTP/WebMail: Invalid password for user user<_at_>domain.com. Attempt from IP address 192.168.88.252.
| May 17 10:42:52 server rsyslog HTTP/WebMail: Invalid password for user user<_at_>domain.com. Attempt from IP address 192.168.88.252.
| May 17 10:43:00 server rsyslog HTTP/WebMail: Invalid password for user user<_at_>domain.com. Attempt from IP address 192.168.88.252.
| May 17 21:22:13 server rsyslog HTTP/WebMail: Invalid password for user user<_at_>domain.com. Attempt from IP address 192.168.88.252.
i.e. fail2ban is successfully read security log, but missed lines whith threats. Why it happens? What i am doing wrong? Why failregex 0, when attempts to login detected?
This is a text from a filter-file kerio.conf:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^SMTP Spam attack detected from <HOST>$
^IP address <HOST> found in DNS blacklist*$
^Relay attempt from IP address <HOST>$
^Attempt to deliver to unknown recipient .*,.*, IP address <HOST>$
^HTTP/WebMail: Invalid password for user ".*" Attempt from IP address <HOST>$
^User .* doesn't exist. Attempt from IP address <HOST>$
^Failed POP3 login from <HOST>, user .*$
^Failed IMAP login from <HOST>, user .*$
^Failed SMTP login from <HOST>$
^SMTP: User .* doesn't exist. Attempt from IP address <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
There may be a syntax error in the file? I don`t know Python language so i don`t understand it`s syntax.
Instruction from site https: //aplawrence.com/Kerio/fail2ban.html don`t working.
|
|
|
|
|
|
| Re: Fail2ban for Kerio Connect [message #148288 is a reply to message #148133] |
Mon, 15 June 2020 20:22  |
hberm001
Messages: 20
Registered: August 2012
Location: United States
|
|
|
|
|
your failregex all start with ^ which means it expects that to match from the very beginning of the line. If you remove the ^ it should start matching since the time stamp and syslog tags are actually at the beginning of the line.
|
|
|
|
| Re: Fail2ban for Kerio Connect [message #148385 is a reply to message #148288] |
Wed, 01 July 2020 16:10 |
Lewis-H
Messages: 11
Registered: December 2019
|
|
|
|
Here is the look of my iptables once running.
[root@system ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-kerio tcp -- anywhere anywhere multiport dports smtp,pop3,urd,pop3s
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
fail2ban-ProFTPD tcp -- anywhere anywhere tcp dpt:ftp
DROP all -- anywhere anywhere state INVALID
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -- loopback/8 anywhere
DROP all -- link-local/16 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere system.gateway.com tcp dpt:ftp-data
ACCEPT tcp -- anywhere system.gateway.com tcp dpt:ftp
ACCEPT udp -- anywhere system.gateway.com udp dpt:ntp
ACCEPT udp -- anywhere system.gateway.com udp dptpenvpn
ACCEPT tcp -- anywhere system.gateway.com tcp dpt:45022
ACCEPT tcp -- anywhere system.gateway.com tcp dpt:81
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.245 tcp dptop3
ACCEPT tcp -- anywhere 192.168.1.245 tcp dptop3s
ACCEPT tcp -- anywhere 192.168.1.245 tcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.1.245 tcp dpt:urd
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT tcp -- system.gateway.com anywhere tcp spt:ftp-data
ACCEPT tcp -- system.gateway.com anywhere tcp spt:ftp
ACCEPT udp -- system.gateway.com anywhere udp spt:ntp
ACCEPT udp -- system.gateway.com anywhere udp sptpenvpn
ACCEPT tcp -- system.gateway.com anywhere tcp spt:45022
ACCEPT tcp -- system.gateway.com anywhere tcp spt:81
ACCEPT all -- anywhere anywhere
Chain drop-lan (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain fail2ban-ProFTPD (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-kerio (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
[root@system ~]#
Jumped onto my BackTrack 5 R3 VM and tried to throw some attacks, remotely, to the IP.
/var/log/maillog
Aug 24 01:14:46 mail POP: User testing<_at_>domain.co.za doesn't exist. Attempt from IP address xx.xxx.xxx.xx
Aug 24 01:14:46 mail POP: User testing<_at_>domain.co.za doesn't exist. Attempt from IP address xx.xxx.xxx.xx
Aug 24 01:14:46 mail POP: User testing<_at_>domain.co.za doesn't exist. Attempt from IP address xx.xxx.xxx.xx
Aug 24 01:14:52 Failed POP3 login from xx-xxx-xxx-xx.isp.domain.co.za
Aug 24 01:14:52 Failed POP3 login from xx-xxx-xxx-xx.isp.domain.co.za
Aug 24 01:14:52 Failed POP3 login from xx-xxx-xxx-xx.isp.domain.co.za
/var/log/messages
Aug 24 01:09:34 system fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.10
Aug 24 01:09:34 system fail2ban.jail : INFO Creating new jail 'proftpd-iptables'
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'proftpd-iptables' uses pyinotify
Aug 24 01:09:34 system fail2ban.jail : INFO Initiated 'pyinotify' backend
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Added logfile = /var/log/messages
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set maxRetry = 6
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set findtime = 600
Aug 24 01:09:34 system fail2ban.actions: INFO Set banTime = 600
Aug 24 01:09:34 system fail2ban.jail : INFO Creating new jail 'ssh-iptables'
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'ssh-iptables' uses pyinotify
Aug 24 01:09:34 system fail2ban.jail : INFO Initiated 'pyinotify' backend
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Added logfile = /var/log/secure
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set maxRetry = 5
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set findtime = 600
Aug 24 01:09:34 system fail2ban.actions: INFO Set banTime = 600
Aug 24 01:09:34 system fail2ban.jail : INFO Creating new jail 'kerio-iptables'
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'kerio-iptables' uses pyinotify
Aug 24 01:09:34 system fail2ban.jail : INFO Initiated 'pyinotify' backend
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Added logfile = /var/log/maillog
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set maxRetry = 3
Aug 24 01:09:34 system ¿<30>fail2ban.filter : INFO Set findtime = 600
Aug 24 01:09:34 system fail2ban.actions: INFO Set banTime = 1200
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'proftpd-iptables' started
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'ssh-iptables' started
Aug 24 01:09:34 system fail2ban.jail : INFO Jail 'kerio-iptables' started
Aug 24 01:10:42 system ¿<28>fail2ban.filter : WARNING Determined IP using DNS Lookup: xx-xxx-xxx-xx.isp.domain.co.za = ['xx.xxx.xxx.xx']
Aug 24 01:10:43 system fail2ban.actions: WARNING [kerio-iptables] Ban xx.xxx.xxx.xx
|
|
|
|
Members
Search
Help
Register
Login
Home
