{"id":269,"date":"2009-10-01T21:04:25","date_gmt":"2009-10-01T13:04:25","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=269"},"modified":"2011-11-11T14:57:07","modified_gmt":"2011-11-11T06:57:07","slug":"how-to-setup-fail2ban-to-block-vpopmail-attacks","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2009\/10\/how-to-setup-fail2ban-to-block-vpopmail-attacks\/","title":{"rendered":"How to setup fail2ban to block vpopmail attacks"},"content":{"rendered":"

As the Wiki for fail2ban is a little less than explanatory than it could be (and they reversed my edits which made the instructions clearer), here are my own notes on setting up fail2ban to block pop3 attacks.<\/p>\n

Have been seeing sample dictionary attacks on some servers for a while now from random ip addresses – eg<\/p>\n

\r\nSep 28 13:01:03 www vpopmail[20410]: vchkpw-pop3: vpopmail user not found www@:24.153.205.71\r\nSep 28 13:01:03 www vpopmail[20411]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71\r\nSep 28 13:01:09 www vpopmail[20417]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71\r\nSep 28 13:01:11 www vpopmail[20420]: vchkpw-pop3: vpopmail user not found web@:24.153.205.71\r\n<\/pre>\n
Annoying, but not realistically going to provide much of a security issue – most of the user names are the generic ones which aren’t actually in use on the servers.<\/p>\n
As we already use fail2ban<\/a> to perform basic service blocks against naughty script kiddie wannabee’s, why not have it block vpopmail attacks also.<\/p>\n
Our mail error logs are located in \/var\/log\/mail.log<\/p>\n
As you saw above, the logs show the same common text for each failed login – <\/p>\n
\r\nvchkpw-pop3: vpopmail user not found web@:24.153.205.71\r\n<\/pre>\n
A simple regex to identify that in the logs would look like this (as per the fail2ban wiki)<\/p>\n
\r\nfailregex = vchkpw-pop3: vpopmail user not found .*@:$\r\n<\/pre>\n
First step is to create a filter for fail2ban.<\/p>\n
Create \/etc\/fail2ban\/filter.d\/vpopmail.conf as below:<\/p>\n
\r\n# Fail2Ban configuration file for vpopmail\r\n#\r\n# Author: Lawrence Sheed\r\n#\r\n# $Revision: 1.0 $\r\n#\r\n\r\n[Definition]\r\n\r\n# Option: failregex\r\n# Notes.: regex to match the password failures messages in the logfile.\r\n# Values: TEXT\r\n#\r\nfailregex = vchkpw-pop3: vpopmail user not found .*@:$\r\n\r\n# Option:  ignoreregex\r\n# Notes.:  regex to ignore. If this regex matches, the line is ignored.\r\n# Values:  TEXT\r\n#\r\nignoreregex = \r\n<\/pre>\n
Second step is to add our filter to the fail2ban setup<\/p>\n
Add this to the bottom of \/etc\/fail2ban\/jail.conf<\/p>\n
\r\n[vpopmail]\r\nenabled = true\r\nport    = pop3\r\nfilter  = vpopmail  \r\nlogpath = \/var\/log\/mail.log\r\nmaxretry = 3\r\n<\/pre>\n
logpath should be amended to whatever your mail logs for vpopmail appear.
\nmaxretry should be set to a value that you agree with.<\/p>\n
Restart fail2ban  with a: \/etc\/init.d\/fail2ban restart
\nand check that it has added the filter.<\/p>\n
tail \/var\/log\/fail2ban.log<\/p>\n
You should see a line like this:<\/p>\n
\r\n2009-10-01 12:36:09,590 fail2ban.jail   : INFO   Jail 'vpopmail' started\r\n<\/pre>\n
If so, you’re all set!<\/p>\n
\n
Some additional tips, as I have found some issues subsequently in Fail2ban on some systems:<\/p>\n
If you find that fail2ban gives error 200 or 400 on occasion, this is due to a timing issue bug in fail2ban.<\/font>
\nThere are 2 possible solutions:<\/p>\n
Solution 1 – Edit fail2ban<\/h3>\n
Open \/usr\/bin\/fail2ban-client <\/p>\n
Look for<\/p>\n
\r\ndef __processCmd(self, cmd, showRet = True):\r\nbeautifier = Beautifier() for c in cmd:\r\n<\/pre>\n
After for c in cmd: add a delay
\ntime.sleep(0.5)<\/p>\n
This should look similar to this now – <\/p>\n
\r\ndef __processCmd(self, cmd, showRet = True):\r\nbeautifier = Beautifier() for c in cmd:\r\ntime.sleep(0.5)\r\n<\/pre>\n
Save, and restart fail2ban.  If you still see 200 or 400 issues, increase the delay higher e.g. time.sleep(0.8) <\/p>\n
Solution 2 – Use a different block method<\/h3>\n
Instead of iptables, we can configure fail2ban to use route<\/p>\n
Add a config file for this:<\/p>\n
\r\npico \/etc\/fail2ban\/action.d\/route.conf\r\n<\/pre>\n
Add this into the file and save it.<\/p>\n
\r\n# Fail2Ban configuration file\r\n[Definition]\r\nactionban = ip route add unreachable \r\nactionunban = ip route del unreachable \r\n<\/pre>\n
Open \/etc\/fail2ban\/jail.conf<\/p>\n
Look for ban action = … in the [DEFAULT] section, and comment it out with a # at the start of the line
\nthen add
\neg<\/p>\n
\r\n#banaction = iptables\r\nbanaction = route\r\n<\/pre>\n
Save the file.
\nRestart fail2ban<\/p>\n
It will now use route to block bad ip’s.<\/p>\n","protected":false},"excerpt":{"rendered":"
As the Wiki for fail2ban is a little less than explanatory than it could be (and they reversed my edits which made the instructions clearer), here are my own notes on setting up fail2ban to block pop3 attacks. Have been seeing sample dictionary attacks on some servers for a while now from random ip addresses […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[73,25],"tags":[132,22,134,133,131],"class_list":["post-269","post","type-post","status-publish","format-standard","hentry","category-email","category-technical-mumbo-jumbo","tag-fail2ban","tag-how-to","tag-security","tag-unix","tag-vpopmail"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=269"}],"version-history":[{"count":5,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/269\/revisions"}],"predecessor-version":[{"id":777,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/269\/revisions\/777"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}