Using fail2ban with Kerio Connect mailserver
© May 2019 Anthony Lawrence
Fail2ban is a simple tool that reads log files looking for specified patterns and can add iptables rules based upon what it finds. It comes with built in configuration for ssh, ftp and other common services. You can find other less common configurations at the project webpage.
I wanted to have fail2ban monitor Kerio log files. This is mostly unnecessary: Kerio Connect has internal configuration settings that can block sites that try to send mail to too many unknown users and so on. However, blocking them outright does lessen the load on the server and may help convince them not to bother with us again.
You won't find a fail2ban configuration for Kerio Connect mailserver. It's not difficult to add this, but you do have to make some adjustments.
Configuration of fail2ban itself is simple enough: you need to add a "jail" stanza to /etc/fail2ban/jail.conf. That will look like this:
[kerio] enabled = true filter = kerio logpath = /var/log/mail.log bantime = 1200 maxretry = 3 action = iptables-multiport[name=kerio, port="imap,smtp,imaps,smtps", protocol=tcp]
Note that this refers to a "filter". You'll need to create that in the /etc/fail2ban/filter.d directory. It will be named "kerio.conf" and will look something like this:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified for Kerio by A.P. Lawrence
#
# $Revision: 728 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = SMTP Spam attack detected from <HOST>,
IP address <HOST> found in DNS blacklist
Relay attempt from IP address <HOST>
Attempt to deliver to unknown recipient .*,.*, IP address <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Notice the multiple lines following the "failregex =". These are the lines fail2ban will be looking for in the logfile and "<HOST>" is where it will find the ip address. If it sees matching lines "maxtry" times within "findtime" seconds (I reduced that from the default of 600 seconds), it will perform the "action" (blocking that ip with iptables).
Simple enough, right? Yes, but, Kerio doesn't log to /var/log/mail.log by default. More importantly, Kerio writes date stamps in a format that fail2ban does not understand, so you can't just point fail2ban at /opt/kerio/mailserver/store/logs/security.log.
However, you can tell Kerio Connect to use syslog instead of (or in addition to) its own log. In the administration browser, select the Security log and right-click in the window where the log lines display. Click on Settings and then on the External Logging tab. As shown here, I asked it to log to localhost.
Your syslog needs to listen for "remote" clients. This is true even if you are running on the same machine as I am here. On this machine, I had to uncomment these lines in /etc/rsyslog.conf:
$ModLoad imudp /etc/rsyslog.conf:$UDPServerRun 514
and restart the syslog server.
/etc/init.d/rsyslog restart
The fail2ban starts up (/etc/init.d/fail2ban restart) and adds chains to iptables:
# iptables -n -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 fail2ban-kerio tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 143,25,993,465 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-kerio (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0
After a very short wait, fail2ban started adding to those chains (I'm showing the relevant chain only):
# iptables -n -L fail2ban-kerio Chain fail2ban-kerio (1 references) target prot opt source destination DROP all -- 189.104.140.96 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Sometime later, a different set of IP's are banned (failtoban removes the rule after "bantime" seconds).
# iptables -n -L fail2ban-kerio Chain fail2ban-kerio (1 references) target prot opt source destination DROP all -- 83.149.46.234 0.0.0.0/0 DROP all -- 200.85.123.34 0.0.0.0/0 DROP all -- 189.82.35.144 0.0.0.0/0 DROP all -- 200.223.61.18 0.0.0.0/0 DROP all -- 201.51.251.94 0.0.0.0/0 DROP all -- 118.71.57.99 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
If Kerio did not have the ability to use syslog, we would have had to filter the log file and rewrite it for fail2ban. That's not particularly hard to do - here's a Perl script designed to be used in a "tailf /opt/kerio/mailserver/store/logs/security.log" pipeline:
#!/usr/bin/perl
use IO::Handle;
open(O,">/var/log/keriosecurity.log");
O->autoflush(1);
while (<>) {
s/\[//g;
s/\]//g;
($day,$time,@rest)= split /\s+/;
@timestamp=split ?/?,$day;
$replace="$timestamp[1] $timestamp[0] $time : ";
print O "$replace @rest\n";;
}
That will take Kerio log files that might look like this:
[17/Jun/2011 17:00:45] Attempt to deliver to unknown recipient <advertise@aplawrence.com>, from <bekytnabvnvyx@aapug.org>, IP address 200.90.149.178
and rewrite them in /var/log/keriosecurity.log to look like this:
Jun 17 17:00:45 : Attempt to deliver to unknown recipient <advertise@aplawrence.com>, from <bekytnabvnvyx@aapug.org>, IP address 200.90.149.178
Your fail2ban configuration would set "logpath=/var/log/keriosecurity.log".
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
-> -> Rewriting Kerio security log for fail2ban
Inexpensive and informative Apple related e-books:
Take Control of Numbers
Take Control of Upgrading to El Capitan
Digital Sharing Crash Course
Take Control of High Sierra
Take Control of Pages
More Articles by Anthony Lawrence © 2014-01-05 Anthony Lawrence
Actually I made up the term "object-oriented", and I can tell you I did not have C++ in mind. (Alan Kay)
This post tagged:
Skills Tests
Unix/Linux Book Reviews
My Unix/Linux Troubleshooting Book
This site runs on Linode
Fri Jun 24 18:31:07 2011: 9587 BruceGarlock
I think you read my todo list! I had fail2ban on it for this week, although I never got to it, so this article is perfect timing!
Thank You,
Bruce
Thu Jul 14 15:38:25 2011: 9616 Pat
Perfect.
It's surprising how much load this removed from kerio.
Thank you for tackling this for us!
Sun Jan 5 12:47:44 2014: 12394 danielblack
Can you include some sample log lines that need to be matched here in fail2ban please (link) - just edit the file and then save (or email them too me).
0.9 version of fail2ban has support for custom date formats so we'd like to have a filter for kerio included in the next release.
Thanks,
Daniel
fail2ban developer
Sun Jan 5 13:16:31 2014: 12395 TonyLawrence
I'll send you some today.
Sun Jan 5 13:18:26 2014: 12396 TonyLawrence
I'll also ask Kerio if they can add anything.
------------------------
Printer Friendly Version
Using fail2ban with Kerio Connect mailserver Copyright © June 2011 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version