APLawrence.com - Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version

Using fail2ban with Kerio Connect mailserver

Fail2ban is a simple tool that reads log files looking for specified patterns and can add iptables rules based upon what it finds. It comes with built in configuration for ssh, ftp and other common services. You can find other less common configurations at the project webpage.

I wanted to have fail2ban monitor Kerio® log files. This is mostly unnecessary: Kerio Connect has internal configuration settings that can block sites that try to send mail to too many unknown users and so on. However, blocking them outright does lessen the load on the server and may help convince them not to bother with us again.

You won't find a fail2ban configuration for Kerio Connect mailserver. It's not difficult to add this, but you do have to make some adjustments.

Configuration of fail2ban itself is simple enough: you need to add a "jail" stanza to /etc/fail2ban/jail.conf. That will look like this:


[kerio]

enabled = true
filter  = kerio
logpath  = /var/log/mail.log
bantime  = 1200
maxretry = 3
action   = iptables-multiport[name=kerio, port="imap,smtp,imaps,smtps",
protocol=tcp]

Note that this refers to a "filter". You'll need to create that in the /etc/fail2ban/filter.d directory. It will be named "kerio.conf" and will look something like this:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified for Kerio by A.P. Lawrence
#
# $Revision: 728 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]


# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = SMTP Spam attack detected from <HOST>,
            IP address <HOST> found in DNS blacklist
            Relay attempt from IP address <HOST>
            Attempt to deliver to unknown recipient .*,.*, IP address <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Notice the multiple lines following the "failregex =". These are the lines fail2ban will be looking for in the logfile and "<HOST>" is where it will find the ip address. If it sees matching lines "maxtry" times within "findtime" seconds (I reduced that from the default of 600 seconds), it will perform the "action" (blocking that ip with iptables).

Simple enough, right? Yes, but, Kerio doesn't log to /var/log/mail.log by default. More importantly, Kerio writes date stamps in a format that fail2ban does not understand, so you can't just point fail2ban at /opt/kerio/mailserver/store/logs/security.log.

However, you can tell Kerio Connect to use syslog instead of (or in addition to) its own log. In the administration browser, select the Security log and right-click in the window where the log lines display. Click on Settings and then on the External Logging tab. As shown here, I asked it to log to localhost.

setting Kerio to syslog

Your syslog needs to listen for "remote" clients. This is true even if you are running on the same machine as I am here. On this machine, I had to uncomment these lines in /etc/rsyslog.conf:

$ModLoad imudp
/etc/rsyslog.conf:$UDPServerRun 514

and restart the syslog server.

/etc/init.d/rsyslog restart

The fail2ban starts up (/etc/init.d/fail2ban restart) and adds chains to iptables:

# iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-kerio  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 143,25,993,465 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

After a very short wait, fail2ban started adding to those chains (I'm showing the relevant chain only):


# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
DROP       all  --  189.104.140.96       0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Sometime later, a different set of IP's are banned (failtoban removes the rule after "bantime" seconds).


# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination
DROP       all  --  83.149.46.234        0.0.0.0/0
DROP       all  --  200.85.123.34        0.0.0.0/0
DROP       all  --  189.82.35.144        0.0.0.0/0
DROP       all  --  200.223.61.18        0.0.0.0/0
DROP       all  --  201.51.251.94        0.0.0.0/0
DROP       all  --  118.71.57.99         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

If Kerio did not have the ability to use syslog, we would have had to filter the log file and rewrite it for fail2ban. That's not particularly hard to do - here's a Perl script designed to be used in a "tailf /opt/kerio/mailserver/store/logs/security.log" pipeline:

#!/usr/bin/perl
use IO::Handle;
open(O,">/var/log/keriosecurity.log");
O->autoflush(1);
while (<>) {
s/\[//g;
s/\]//g;
($day,$time,@rest)= split /\s+/;
@timestamp=split ?/?,$day;
$replace="$timestamp[1] $timestamp[0] $time : ";
print O "$replace @rest\n";;
}

That will take Kerio log files that might look like this:

[17/Jun/2011 17:00:45] Attempt to deliver to unknown
recipient <advertise@aplawrence.com>, from
<bekytnabvnvyx@aapug.org>, IP address 200.90.149.178

and rewrite them in /var/log/keriosecurity.log to look like this:

Jun 17 17:00:45 :  Attempt to deliver to unknown
recipient <advertise@aplawrence.com>, from
<bekytnabvnvyx@aapug.org>, IP address 200.90.149.178

Your fail2ban configuration would set "logpath=/var/log/keriosecurity.log".


Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.


If this page was useful to you, please help others find it:  





2 comments




More Articles by Anthony Lawrence - Find me on Google+



Click here to add your comments




Fri Jun 24 18:31:07 2011: 9587   BruceGarlock

gravatar


I think you read my todo list! I had fail2ban on it for this week, although I never got to it, so this article is perfect timing!

Thank You,

Bruce







Thu Jul 14 15:38:25 2011: 9616   Pat

gravatar


Perfect.

It's surprising how much load this removed from kerio.

Thank you for tackling this for us!

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar



LOD Communications, Inc.
Kerio Connect Recovery

Kerio Connect Mailserver

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

pavatar.jpg
Kerio posts
Linux posts
Mac OS X posts
Shell scripting posts
Troubleshooting posts

This post tagged:

       - Code
       - Kerio Connect
       - Kerio
       - Kerio Info
       - Kerio Pricing
       - Kerio RSS Feed
       - Linux
       - Mail
       - Perl
       - Programming
       - Security

















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals