MailCleaner Brute Force Prevention

If you are running a MailCleaner Anti Spam Gateway in your organization, than chances are good that at least once someone has tried to brute force a sasl login to your server. Below we will configure Fail2ban to easily prevent an sasl brute force attack by blocking the offending IP address after a set number of invalid login attempts. For the purpose of this article, we will be using MailCleaner 2018.02 based on Debian 8 although this method also works on MailCleaner 2017.08. First you will need to install the Fail2ban software and create your base configuration as shown below.

Next, you will need to edit your newly created files to reflect the configuration below. Note that we will not be editing Fail2ban’s default configuration. Our mc-default.local below will override the default configuration settings. All other configuration files will be used to build our mc-exim filter. For specific documentaion on each setting, please open and review /etc/fail2ban/jail.conf

mc-default.local

Note: In the mc-default.local above we are setting the action to enable email notification of banned IP’s. If you would prefer not to receive emails on ban actions then please remove the action statement above. Also note that after setting this action, you will receive an email every time the fail2ban service is started or stopped. To disable this behavior please refer to: Disable Fail2ban Service Emails.

mc-exim.local

mc-exim-filter.local

mc-exim-action.local

Once your configuration files are modified as required, simply restart the fail2ban service and take a look at the log at /var/log/fail2ban.log to ensure your newly created configuration is working. Assuming everything is in place and your fail2ban configuration is working, the last thing we need to do is edit the fail2ban startup script located at /etc/init.d/fail2ban as seen below.

fail2ban

mailcleaner MailCleaner Fail2Ban Configuration

Did you find this article useful? Why not share it with your friends?

37 thoughts on “MailCleaner Brute Force Prevention

  1. I set up a new mailcleaner and installed fai2ban. The only issue is when fail2ban is sending emails out reporting a restart or an ip being blocked, the email sent is fail2ban@192.168.x.x which is the actual mailcleaner box ip address instead of fail2ban@domain.co.uk. For the life of me, I cant find where to change the settings.

    I have my mc-default.local

    [DEFAULT]
    ignoreip = 127.0.0.1/8
    destemail = support@domain.com
    sendername = Mailcleaner
    sender = fail2ban@domain1.co.uk
    action = %(action_mw)s

    Any help would be welcome

    Rajbps

      1. Figured it out, had a privacy extension that was blocking it, thanks.

        Would it be necessary to edit cron to restart fail2ban at 235 every day still, or has that been fixed?

        Something like this:

        # fail2ban restart after mc4update restart
        35 2 * * * /etc/init.d/fail2ban restart

        1. We typically disable the updater crontab task and just run the script manually from time to time. So in our case we just added the fail2ban stop and start to the updater4mc.sh script.

  2. Hi, after update sript updater4mc.sh, which run at 2:30.
    iptables stop blocking Ip adressis from fail2ban

    In log after 2:30 start showing this:
    2018-07-26 02:38:31,245 fail2ban.actions[2882]: INFO [mc-exim] 70.90.59.237 already banned
    2018-07-26 02:38:32,246 fail2ban.actions[2882]: INFO [mc-exim] 70.90.59.237 already banned
    2018-07-26 02:38:33,247 fail2ban.actions[2882]: INFO [mc-exim] 70.90.59.237 already banned

    restart service fail2ban help resolw this
    after restart fail2ban in log show this:

    2018-07-26 07:40:55,461 fail2ban.actions.action[2882]: ERROR iptables -D INPUT -j fail2ban-mc-exim
    iptables -F fail2ban-mc-exim

    Can we add this rules int DB for MC firewall same as rules for SSH?
    https://support.mailcleaner.net/boards/3/topics/37-customizing-the-mailcleaner-firewall

    I have change file /etc/init.d/fail2ban with guide
    iptables -X fail2ban-mc-exim returned 100

  3. Hi, i got this error:
    2018-07-23 14:00:55,221 fail2ban.filter [11048]: ERROR No ‘host’ group in ‘\[\]: 535 Incorrect authentication data’
    2018-07-23 14:00:55,221 fail2ban.comm [11048]: WARNING Command [‘set’, ‘mc-exim’, ‘addfailregex’, ‘\\[\\]: 535 Incorrect authentication data’] has failed. Received RegexException(“No ‘host’ group in ‘\\[\\]: 535 Incorrect authentication data'”,)

    When i copy all files and restart fail2ban service.

        1. Updated article and download. Please update your mc-exim-filter.local to reflect the code in the article.

          1. Thank you very much, now its working.

            You delete changing to MailCleaner firewall. Now its not needed to change firewall script?

          2. Hi, after MailCleaner update script updater4mc.sh. Stopt working add Ip adress to FW.
            after first restart service fail2ban i got this error:

            2018-07-24 08:20:55,894 fail2ban.actions.action[91082]: ERROR iptables -D INPUT -j fail2ban-mc-exim
            iptables -F fail2ban-mc-exim
            iptables -X fail2ban-mc-exim returned 100

            after second restart service fail2ban no error.

            i try run now updater4mc.sh and same result.

  4. Hi.

    I think something is get messed up with the configuration/system:
    While fail2ban does not report any ban, iptables reports serveral…

    I belive that fail2ban everyday restart is causing problems..

    root@mailcleaner:/etc# fail2ban-client status mc-exim
    Status for the jail: mc-exim
    |- filter
    | |- File list: /var/mailcleaner/log/exim_stage1/mainlog
    | |- Currently failed: 2
    | `- Total failed: 2
    `- action
    |- Currently banned: 0
    | `- IP list:
    `- Total banned: 0
    root@mailcleaner:/etc# iptables -L fail2ban-mc-exim -n | grep DROP | wc -l
    23

    Any Ideas?

    Cheers.

    1. It seems as if the updater4mc.sh script breaks Fail2Ban on its nightly service restart. I have modified mine to also restart fail2ban.

      1. It seems that is not a valid option, I’ve done that and the script restores itself, so I created a secundary script that is run instead a that one. This new created script restarts the fire wall after running the original one. I will change my script to stop the firewall before and start it after…
        Cheers.

          1. Hello.

            I understood what was happening and the reason of the difference in the iptables ban ip list and fail2ban’s one.

            This configuration files are designed to make permanent bans and store the list in ip.blocklist.sasl, so when the bantime is over failtoban does nothing.

            I don’t know if I want permanent bans… (I will think about it for a while) I wouldn’t like to get permanently blocked from being able to send emails to a specific server just because on, some bad luck moment, my server was hacked and the hacker used it for a brute force attack… I would like to be able to send emails to that server again in the future without needing to contact the destination server administrator.

            Maybe I change the configurations…

            Cheers.

  5. Hi.
    I was able to implement this solution after the setback of my previous message, but I noticed that there is something that breaks the firewall rules.
    Generality after 2 am I start getting messages like this on the fail2ban log:

    2018-05-26 02:39:22,781 fail2ban.actions[12601]: INFO [mc-exim] 181.214.206.195 already banned
    2018-05-26 02:41:24,943 fail2ban.actions[12601]: INFO [mc-exim] 181.214.206.101 already banned

    and I check firewall rules to see that the fail2ban rules are missing.

    I do a “/usr/mailcleaner/etc/init.d/firewall restart” and it gets back on track.

    It seems that the firewall is reset but not with the above init script…

    Cheers.

  6. Notes:
    /usr/share/mailcleaner/etc/init.d/firewall seems to be /usr/mailcleaner/etc/init.d/firewall

    2018-05-23 21:45:39,379 fail2ban.filter [14701]: ERROR No ‘host’ group in ‘\[\]: 535 Incorrect authentication data’
    2018-05-23 21:45:39,379 fail2ban.comm [14701]: WARNING Command [‘set’, ‘mc-exim’, ‘addfailregex’, ‘\\[\\]: 535 Incorrect authentication data’] has failed. Received RegexException(“No ‘host’ group in ‘\\[\\]: 535 Incorrect authentication data'”,)

    The seems to be missing in the filter.

    The file /etc/init.d/fail2ban should be entirely replaced by the code shown or only the heading?

    Cheers.

    1. Just replace line 3 and 4 or /etc/init.d/fail2ban with the lines from the article above. Also, note that the files can be downloaded at the bottom of the article.

    2. Corrected the second issue using the files the expression is missing in the page but seems to be correct in the downloaded files.

  7. Hi again.
    I’ve applied your newest revision, but I can suggest you to change your titles, and include the patch for better visibility :
    DEFAULT.CONF –> /etc/fail2ban/jail.d/mc-default.local
    MC-EXIM.CONF –> /etc/fail2ban/jail.d/mc-exim.local
    MC-EXIM-SASL.CONF –> /etc/fail2ban/filter.d/mc-exim-filter.local
    IPTABLES-MC-EXIM-SASL.CONF –> /etc/fail2ban/action.d/mc-exim-action.local

    Now I receive this warning :
    root@mailcleaner:/etc/fail2ban/jail.d# service fail2ban status
    ● fail2ban.service – LSB: Start/stop fail2ban
    Loaded: loaded (/etc/init.d/fail2ban)
    Active: active (running) since Tue 2018-03-13 13:40:25 EDT; 5min ago
    Process: 3825 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
    Process: 3833 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/fail2ban.service
    └─3845 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

    Mar 13 13:40:25 mailcleaner fail2ban[3833]: WARNING ‘actioncheck’ not defined in ‘Definition’. Using default one: ”
    Mar 13 13:40:25 mailcleaner fail2ban[3833]: WARNING ‘actionunban’ not defined in ‘Definition’. Using default one: ”
    Mar 13 13:40:25 mailcleaner systemd[1]: Started LSB: Start/stop fail2ban.

    Any ideas ?

    1. I probably should have waited to write the article until I had a 100% working solution :). Anyhow, thanks for the suggestions I appreciate the feedback very much. Feel free to name the files anything you wish. This method is now 100% complete and tested.

  8. You are right, must be a typo. I did cut and paste at first, but now with a download of your files and replaced mine: work OK.

    Maybe you should add something to your article:
    If you changed the SSH port of your server, you should edit /etc/fail2ban/jail.conf to replace in the [SSH] section:
    port = ssh
    for
    port = 12345
    and of course replace 12345 with the port number of your SSH server.

    Another suggestion: how to adapt Fail2Ban to also protect the GUI for the /admin/ portal and the client area? Any suggestion?

    Thanks a lot for your article, I wasn’t able to resolve by myself.

  9. Hi. Thanks for this article, but I receive this error:
    root@mailcleaner:~# service fail2ban status
    ● fail2ban.service – LSB: Start/stop fail2ban
    Loaded: loaded (/etc/init.d/fail2ban)
    Active: active (exited) since Tue 2018-03-06 19:57:07 EST; 6s ago
    Process: 7014 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
    Process: 7022 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

    Mar 06 19:57:07 mailcleaner systemd[1]: Starting LSB: Start/stop fail2ban…
    Mar 06 19:57:07 mailcleaner fail2ban[7022]: ERROR Error in action definition iptables-mc-exim-sasl[name=sasl]
    Mar 06 19:57:07 mailcleaner fail2ban[7022]: ERROR Errors in jail ‘mc-exim’. Skipping…
    Mar 06 19:57:07 mailcleaner systemd[1]: Started LSB: Start/stop fail2ban.
    root@mailcleaner:~# tail /var/log/fail2ban.log
    2018-03-06 19:28:59,524 fail2ban.jail [3885]: INFO Jail ‘ssh’ uses pyinotify
    2018-03-06 19:28:59,627 fail2ban.jail [3885]: INFO Initiated ‘pyinotify’ backend
    2018-03-06 19:28:59,644 fail2ban.filter [3885]: INFO Added logfile = /var/log/auth.log
    2018-03-06 19:28:59,645 fail2ban.filter [3885]: INFO Set maxRetry = 6
    2018-03-06 19:28:59,646 fail2ban.filter [3885]: INFO Set findtime = 600
    2018-03-06 19:28:59,646 fail2ban.actions[3885]: INFO Set banTime = 600
    2018-03-06 19:28:59,678 fail2ban.jail [3885]: INFO Jail ‘ssh’ started
    2018-03-06 19:54:35,243 fail2ban.server [3885]: INFO Stopping all jails
    2018-03-06 19:54:35,306 fail2ban.jail [3885]: INFO Jail ‘ssh’ stopped
    2018-03-06 19:54:35,306 fail2ban.server [3885]: INFO Exiting Fail2ban

    1. Did you use the entire file set provided as a companion download with the article or did you copy & paste?

      1. Hi,
        I found this article and it is great but I’m unable to find files for download, can you please send me a link. Thanks

Leave a Reply to Matthew Marable Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.