Eric Shubert wrote:
> On a general note, I believe several people here have implemented f2b on
> QMT. You should find discussions and perhaps some other configurations
> in the list archives. It'd be nice if people would share their
> configurations here (even if they've done so before).
A while back, I actually wrote a guide to f2b for the wiki ... and then
someone pointed out that there was already a very good one, so I backed
out my changes. The existing guide on the wiki is pretty comprehensive.
I think my configuration is pretty stock, but I've added the following
lines to the end of 'jail.conf'
================================= jail.conf ================================
# CUSTOM JAILS
[courierimap-iptables]
enabled = true
filter = courierlogin
action = iptables[name=IMAP, port=imap, protocol=tcp]
sendmail-whois[name=IMAP, dest=root,
[email protected]]
logpath = /var/log/secure
maxretry = 4
[vpopmail-iptables]
enabled = true
filter = vpopmail
action = iptables-multiport[name=VPOPMAIL, port="smtp,pop3,587",
protocol=tcp]
sendmail-whois[name=VPOPMAIL, dest=root,
[email protected]]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
[vpopmail-bonus-iptables]
enabled = true
filter = vpopmail-bonus
action = iptables[name=VPOPMAIL-BONUS, port=smtp, protocol=tcp]
sendmail-whois[name=VPOPMAIL-BONUS, dest=root,
[email protected]]
logpath = /var/log/maillog
maxretry = 1
bantime = 86400
[imapd-iptables]
enabled = true
filter = imapd
action = iptables[name=IMAPD, port=imap, protocol=tcp]
sendmail-whois[name=IMAPD, dest=root,
[email protected]]
logpath = /var/log/secure
================================= jail.conf ================================
Then, I have some individual filters in 'filter.d' to handle mail-related
stuff (see below)
You'll notice that some of the filters contain the line:
ignoreregex = (user1|user2|user3)
Because I handle a relatively small number of users, I actually list the
usernames of legitimate users so that they don't get locked out if they
flub their password repeatedly.
These filters were all borrowed from somewhere else -- I can't remember if
they're in the f2b distro, or if I found them somewhere else on the web --
with the exception of 'vpopmail-bonus', which I wrote myself.
'vpopmail-bonus' leverages the fact that many abusers like to connect with
no domain name, i.e. they try to connect as:
user@
rather than
[email protected]
This filter matches that. It also matches attempts to connect using a
subdomain, i.e.
[email protected]
and a couple of domains that no one ever logs into:
[email protected]
[email protected]
In the corresponding jail configuration in 'jail.conf', I specify that
anything that trips the 'vpopmail-bonus.conf' filter should be
insta-banned: even 1 failure is enough to get them banned, whereas the
regular 'vpopmail' jail allows them 3 tries before bringing the hammer
down.
I still haven't made up my mind whether this is a good strategy or not.
The rule certainly matches. But I've noticed that the current crop of
password guessers don't make repeat attempts in short order. It used to be
the case that grinders would lock on and work through all the user/pw
combos they could think of, until they either reached the end of their
list or got blocked by something like f2b.
Now, it seems that the attackers prefer to deploy a gigantic botnet, with
each machine in it making just one attempt (I'd love to know how they
coordinate that, so that they don't have multiple machines redundantly
guessing the same user/pw combo). So my bonus filter bans them, but it's
wasted effort because they weren't planning on making a second attempt or,
if they were, they weren't going to do it immediately. The result is that
the filter adds lots of entries to iptables, in a way that may not
actually be useful.
So you could try 'vpopmail-bonus' if you like, but I think it's less
useful than the others.
Angus
========================== courierlogin.conf ===============================
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
============================ vpopmail.conf =================================
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = vchkpw-[a-z0-9]+: vpopmail user not found [a-z0-9-]+.*:<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = (user1|user2|user3)
============================== imapd.conf =================================
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = imapd: LOGIN FAILED, user=[a-z0-9]+, ip=\[<HOST>\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = (user1|user2|user3)
=========================== vpopmail-bonus.conf ===========================
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# This recipe will match grinders that don't specify a hostname as
# part of their attempt to connect, and will be used with a special,
# more aggressive rule.
# Values: TEXT
#
failregex = vchkpw-[a-z0-9]+: vpopmail user not found [a-z0-9]+@:<HOST>
vchkpw-[a-z0-9]+: vpopmail user not found
[a-z0-9][email protected]:<HOST>
vchkpw-[a-z0-9]+: vpopmail user not found
[a-z0-9][email protected]:<HOST>
vchkpw-[a-z0-9]+: vpopmail user not found
[a-z0-9][email protected]:<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = (user1|user2|user3)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
