Using fail2ban with Kerio Connect mailserver

Fail2ban is a simple tool that reads log files looking for specified patterns and can add iptables rules based upon what it finds. It comes with built in configuration for ssh, ftp and other common services. You can find other less common configurations at the project webpage.

I wanted to have fail2ban monitor Kerio log files. This is mostly unnecessary: Kerio Connect has internal configuration settings that can block sites that try to send mail to too many unknown users and so on. However, blocking them outright does lessen the load on the server and may help convince them not to bother with us again.

You won't find a fail2ban configuration for Kerio Connect mailserver. It's not difficult to add this, but you do have to make some adjustments.

Configuration of fail2ban itself is simple enough: you need to add a "jail" stanza to /etc/fail2ban/jail.conf. That will look like this:


[kerio]

enabled = true
filter  = kerio
logpath  = /var/log/mail.log
bantime  = 1200
maxretry = 3
action   = iptables-multiport[name=kerio, port="imap,smtp,imaps,smtps",
protocol=tcp]
 

Note that this refers to a "filter". You'll need to create that in the /etc/fail2ban/filter.d directory. It will be named "kerio.conf" and will look something like this:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified for Kerio by A.P. Lawrence
#
# $Revision: 728 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]


# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = SMTP Spam attack detected from <HOST>,
            IP address <HOST> found in DNS blacklist
            Relay attempt from IP address <HOST>
            Attempt to deliver to unknown recipient .*,.*, IP address <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
 

Notice the multiple lines following the "failregex =". These are the lines fail2ban will be looking for in the logfile and "<HOST>" is where it will find the ip address. If it sees matching lines "maxtry" times within "findtime" seconds (I reduced that from the default of 600 seconds), it will perform the "action" (blocking that ip with iptables).

Simple enough, right? Yes, but, Kerio doesn't log to /var/log/mail.log by default. More importantly, Kerio writes date stamps in a format that fail2ban does not understand, so you can't just point fail2ban at /opt/kerio/mailserver/store/logs/security.log.

However, you can tell Kerio Connect to use syslog instead of (or in addition to) its own log. In the administration browser, select the Security log and right-click in the window where the log lines display. Click on Settings and then on the External Logging tab. As shown here, I asked it to log to localhost.

setting Kerio to syslog

Your syslog needs to listen for "remote" clients. This is true even if you are running on the same machine as I am here. On this machine, I had to uncomment these lines in /etc/rsyslog.conf:

$ModLoad imudp
/etc/rsyslog.conf:$UDPServerRun 514
 

and restart the syslog server.

/etc/init.d/rsyslog restart
 

The fail2ban starts up (/etc/init.d/fail2ban restart) and adds chains to iptables:

# iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-kerio  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 143,25,993,465 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0    
 

After a very short wait, fail2ban started adding to those chains (I'm showing the relevant chain only):

# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
DROP       all  --  189.104.140.96       0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
 

Sometime later, a different set of IP's are banned (failtoban removes the rule after "bantime" seconds).

# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination
DROP       all  --  83.149.46.234        0.0.0.0/0
DROP       all  --  200.85.123.34        0.0.0.0/0
DROP       all  --  189.82.35.144        0.0.0.0/0
DROP       all  --  200.223.61.18        0.0.0.0/0
DROP       all  --  201.51.251.94        0.0.0.0/0
DROP       all  --  118.71.57.99         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

If Kerio did not have the ability to use syslog, we would have had to filter the log file and rewrite it for fail2ban. That's not particularly hard to do - here's a Perl script designed to be used in a "tailf /opt/kerio/mailserver/store/logs/security.log" pipeline:

#!/usr/bin/perl
use IO::Handle;
open(O,">/var/log/keriosecurity.log");
O->autoflush(1);
while (<>) {
s/\[//g;
s/\]//g;
($day,$time,@rest)= split /\s+/;
@timestamp=split ?/?,$day;
$replace="$timestamp[1] $timestamp[0] $time : ";
print O "$replace @rest\n";;
}
 

That will take Kerio log files that might look like this:

[17/Jun/2011 17:00:45] Attempt to deliver to unknown
recipient <[email protected]>, from
<[email protected]>, IP address 200.90.149.178
 

and rewrite them in /var/log/keriosecurity.log to look like this:

Jun 17 17:00:45 :  Attempt to deliver to unknown
recipient <[email protected]>, from
<[email protected]>, IP address 200.90.149.178
 

Your fail2ban configuration would set "logpath=/var/log/keriosecurity.log".



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Rewriting Kerio security log for fail2ban


5 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Fri Jun 24 18:31:07 2011: 9587   BruceGarlock

gravatar


I think you read my todo list! I had fail2ban on it for this week, although I never got to it, so this article is perfect timing!

Thank You,

Bruce







Thu Jul 14 15:38:25 2011: 9616   Pat

gravatar


Perfect.

It's surprising how much load this removed from kerio.

Thank you for tackling this for us!



Sun Jan 5 12:47:44 2014: 12394   danielblack

gravatar


Can you include some sample log lines that need to be matched here in fail2ban please (link) - just edit the file and then save (or email them too me).

0.9 version of fail2ban has support for custom date formats so we'd like to have a filter for kerio included in the next release.

Thanks,
Daniel
fail2ban developer



Sun Jan 5 13:16:31 2014: 12395   TonyLawrence

gravatar


I'll send you some today.



Sun Jan 5 13:18:26 2014: 12396   TonyLawrence

gravatar


I'll also ask Kerio if they can add anything.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Lawyer — One who protects us against robbers by taking away the temptation. (H.L. Mencken)

Generally, old media don't die. They just have to grow old gracefully. Guess what, we still have stone masons. They haven't been the primary purveyors of the written word for a while now of course, but they still have a role because you wouldn't want a TV screen on your headstone. (Douglas Adams)








This post tagged: