MailCleaner Brute Force Prevention

If you are running a MailCleaner Anti Spam Gateway in your organization, than chances are good that at least once someone has tried to brute force a sasl login to your server. Below we will configure Fail2ban to easily prevent an sasl brute force attack by blocking the offending IP address after a set number of invalid login attempts. For the purpose of this article, we will be using MailCleaner 2018.02 based on Debian 8 although this method also works on MailCleaner 2017.08. First you will need to install the Fail2ban software and create your base configuration as shown below.

Next, you will need to edit your newly created files to reflect the configuration below. Note that we will not be editing Fail2ban’s default configuration. Our mc-default.local below will override the default configuration settings. All other configuration files will be used to build our mc-exim filter. For specific documentaion on each setting, please open and review /etc/fail2ban/jail.conf

mc-default.local

Note: In the mc-default.local above we are setting the action to enable email notification of banned IP’s. If you would prefer not to receive emails on ban actions then please remove the action statement above. Also note that after setting this action, you will receive an email every time the fail2ban service is started or stopped. To disable this behavior please refer to: Disable Fail2ban Service Emails.

mc-exim.local

mc-exim-filter.local

mc-exim-action.local

Once your configuration files are modified as required, simply restart the fail2ban service and take a look at the log at /var/log/fail2ban.log to ensure your newly created configuration is working as seen below. Assuming everything is in place and your fail2ban configuration is working, the last thing we need to do is edit the fail2ban startup script located at /etc/init.d/fail2ban and the MailCleaner firewall script located at /usr/share/mailcleaner/etc/init.d/firewall as seen below.

fail2ban

firewall

mailcleaner MailCleaner Fail2Ban Configuration

Did you find this article useful? Why not share it with your friends?

8 thoughts on “MailCleaner Brute Force Prevention

  1. Hi again.
    I’ve applied your newest revision, but I can suggest you to change your titles, and include the patch for better visibility :
    DEFAULT.CONF –> /etc/fail2ban/jail.d/mc-default.local
    MC-EXIM.CONF –> /etc/fail2ban/jail.d/mc-exim.local
    MC-EXIM-SASL.CONF –> /etc/fail2ban/filter.d/mc-exim-filter.local
    IPTABLES-MC-EXIM-SASL.CONF –> /etc/fail2ban/action.d/mc-exim-action.local

    Now I receive this warning :
    root@mailcleaner:/etc/fail2ban/jail.d# service fail2ban status
    ● fail2ban.service – LSB: Start/stop fail2ban
    Loaded: loaded (/etc/init.d/fail2ban)
    Active: active (running) since Tue 2018-03-13 13:40:25 EDT; 5min ago
    Process: 3825 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
    Process: 3833 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/fail2ban.service
    └─3845 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

    Mar 13 13:40:25 mailcleaner fail2ban[3833]: WARNING ‘actioncheck’ not defined in ‘Definition’. Using default one: ”
    Mar 13 13:40:25 mailcleaner fail2ban[3833]: WARNING ‘actionunban’ not defined in ‘Definition’. Using default one: ”
    Mar 13 13:40:25 mailcleaner systemd[1]: Started LSB: Start/stop fail2ban.

    Any ideas ?

    1. I probably should have waited to write the article until I had a 100% working solution :). Anyhow, thanks for the suggestions I appreciate the feedback very much. Feel free to name the files anything you wish. This method is now 100% complete and tested.

  2. You are right, must be a typo. I did cut and paste at first, but now with a download of your files and replaced mine: work OK.

    Maybe you should add something to your article:
    If you changed the SSH port of your server, you should edit /etc/fail2ban/jail.conf to replace in the [SSH] section:
    port = ssh
    for
    port = 12345
    and of course replace 12345 with the port number of your SSH server.

    Another suggestion: how to adapt Fail2Ban to also protect the GUI for the /admin/ portal and the client area? Any suggestion?

    Thanks a lot for your article, I wasn’t able to resolve by myself.

  3. Hi. Thanks for this article, but I receive this error:
    root@mailcleaner:~# service fail2ban status
    ● fail2ban.service – LSB: Start/stop fail2ban
    Loaded: loaded (/etc/init.d/fail2ban)
    Active: active (exited) since Tue 2018-03-06 19:57:07 EST; 6s ago
    Process: 7014 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
    Process: 7022 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

    Mar 06 19:57:07 mailcleaner systemd[1]: Starting LSB: Start/stop fail2ban…
    Mar 06 19:57:07 mailcleaner fail2ban[7022]: ERROR Error in action definition iptables-mc-exim-sasl[name=sasl]
    Mar 06 19:57:07 mailcleaner fail2ban[7022]: ERROR Errors in jail ‘mc-exim’. Skipping…
    Mar 06 19:57:07 mailcleaner systemd[1]: Started LSB: Start/stop fail2ban.
    root@mailcleaner:~# tail /var/log/fail2ban.log
    2018-03-06 19:28:59,524 fail2ban.jail [3885]: INFO Jail ‘ssh’ uses pyinotify
    2018-03-06 19:28:59,627 fail2ban.jail [3885]: INFO Initiated ‘pyinotify’ backend
    2018-03-06 19:28:59,644 fail2ban.filter [3885]: INFO Added logfile = /var/log/auth.log
    2018-03-06 19:28:59,645 fail2ban.filter [3885]: INFO Set maxRetry = 6
    2018-03-06 19:28:59,646 fail2ban.filter [3885]: INFO Set findtime = 600
    2018-03-06 19:28:59,646 fail2ban.actions[3885]: INFO Set banTime = 600
    2018-03-06 19:28:59,678 fail2ban.jail [3885]: INFO Jail ‘ssh’ started
    2018-03-06 19:54:35,243 fail2ban.server [3885]: INFO Stopping all jails
    2018-03-06 19:54:35,306 fail2ban.jail [3885]: INFO Jail ‘ssh’ stopped
    2018-03-06 19:54:35,306 fail2ban.server [3885]: INFO Exiting Fail2ban

    1. Did you use the entire file set provided as a companion download with the article or did you copy & paste?

      1. Hi,
        I found this article and it is great but I’m unable to find files for download, can you please send me a link. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *