Profile Details

Toggle Sidebar
Recent updates
  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Nick Howitt wrote:

    The forum has made a mess of you post. I've managed to get it a bit better looking.

    I can see you only have POPS and IMAPS open, so no POP or IMAP. What I don't understand is that POPS does not seem to be listening either. Perhaps I have the command wrong. Does:show any more information?

    if it just shows 993 and 995 then your log reports are probably due to POPS and IMAPS transactions being reported by logwatch as POP/IMAP, but you'll need to check your logs to prove it. If it is the case, then you probably can't do much about it other than reduce the maxretry parameter.

    Cool. Thanks again.
    Here goes. (I hope it formats OK)

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Thanks for continuing to help, Nick.

    Nick Howitt wrote:
    What do you get from:
    tcp 0 0* LISTEN 11938/imapd
    unix 2 [ ACC ] STREAM LISTENING 506564249 17264/cyrus-master /var/lib/imap/socket/lmtp[/code]
    [quote]Nick Howitt wrote:
    What do you get from:

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Nick Howitt wrote:

    Check your mail log to see if your authentication failures are really imaps and pops. I think you are using logwatch for your report. It may group imap and imaps together and so on. If the ports aren't open you should not be getting failures on those ports. Again, similar to SMTP, you can reduce the maxretry in in the f2b configlet.

    Nick, thanks again for the suggestion and help.
    I'm still trying to figure out why I get so many imap and pop pam authentication errors.
    I checked the maillog and I don't see any imap or pop. Everything is imaps and pop3s.
    The sasl login authentication error is reduced to about 53 now.
    And lines like this are being blocked.

    I've been researching to see if I can get pam to show more detailed debug messages but stuck at the moment.

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Nick Howitt wrote:

    Disabling authentication is done through the SMTP webconfig > User Policies > SMTP Authentication.

    The warning in post you linked to does not realise you are using STARTTLS on 587 and if you read just below the warning, he turns on STARTTLS on port 465 to get round that very issue noted in the warning.

    Thank you Nick. I have disabled SMTP authentication. Honestly, I'm really nervous about this but I'm willing to give it a try. I guess my mental problem with this is that I worry that if there is no authentication, then it's open and hackers can get in.
    It appears that I spoke to soon on the pam-unix authentication reduction. While I have 75 IP addresses in the fb2-cyrus-imap BAN list now, I still had 696 imap authentication failures and 49 pop failures. Those ports are closed so I don't understand how someone could be attempting to authenticate against it. I thought that if the port is closed, there is nothing there for anyone to authenticate against and the server wouldn't even acknowledge anything since the port is blocked.
    Is there something else that I should be looking at to reduce these authentication attempts?

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Nick Howitt wrote:

    You've cut the WARNING message, but you can get them up to about 3 minutes after a found. This is because the attacker may make a number of almost concurrent connections - you have 2 in your log snippet 0.6s apart. f2b runs periodically (every 2 seconds?) so it is possible for the ban to become active on the first message while the second transaction is in progress. As long as you see no more warnings after a couple of minutes or so from a ban, you should be OK for a ClearOS jail as the ban time is normally 86400s (8h). The normal default is something like 300s.

    Today the log looks much different. It's a thing of beauty! INFO: Found then NOTICE: Ban
    Beautiful! I'm sure my logwatch tomorrow morning will look much better again.

    Nick Howitt wrote:I have not said close port 25. You need that to receive e-mails from the outside. I said turn off SMTP authentication in the SMTP server. That parameter only acts on port 25. If no one should be authenticating there, there is no point in exposing yourself to user/pass cracking on port 25.

    I will need to research this. Is this authentication in the webconfig or something that is set in the postfix.conf? I didn't see anything in webconfig. What I've started to read about it and it looks like there is a bunch to learn on setting up postfix.conf, and I need to be very careful or I'll undo what progress I've made. ;)
    From Postfix: disable authentication through port 25 Hmm. Lots to learn.

    Thanks for all your help Nick!

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Thanks Nick.

    Nick Howitt wrote:

    Remember that Attack Detector uses f2b so I would not enable things in Attack Detector (which uses configlets in /etc/fail2ban/jail.d and in jail.local at the same time) If you disable one, I am not sure which takes precedence. From the Attack Detector Doc, you can check your f2b blocks with:Are you seeing any for f2b-postfix-sasl matching any of your BAN messages or WARNING already banned messages in the f2b log? From you pam snippet, I'd also possibly expect some for f2b-cyrus-imap as well.

    I think I have both running but for the moment it is working so I don't want to mess with it. I'll have to check the logs from the past day to see if I have bans for already banned IPs.

    That's cool code. This is what I get.

    Nick Howitt wrote:When you see a BAN message in the f2b log, check for errors around it and make sure it appears in the relevant f2b jail.

    No errors at the moment.

    Nick Howitt wrote:
    Attacks where the user hops IP's are hard to protect from. I do have a custom jail which bans subnets if the user is sending e-mails from an IP address without a PTR record as these are generally hacked ADSL accounts, but it is not necessarily something you want to do.

    As my users only ever use STARTTLS for sending e-mails when on the road I have no reason to accept any authentication on port 25 so I turn it off. I then reduce maxretry to 1 in /etc/fail2ban/jail.d/clearos-postfix-sasl.conf.

    I have the same thing and everyone has certificates so without that people can't get in as far as I understand. I thought I needed port 25 for incoming mails from the internet??

    Nick Howitt wrote:For cyrus-imap which methods do you use to pick up e-mails? POP, POPS, IMAP or IMAPS? Close the firewall for any you don't use and also disable them in the webconfig. Other than that it is hard to defend against. In theory I always set up users (my family) while they are connected to the LAN, so I also set maxretry to 1 in /etc/fail2ban/jail.d/clearos-cyrus-imap.conf as authentication should never fail when on the road. I also set bantime to 432000 and findtime to 86400. It is a bit aggressive. I also whitelist my LAN in Attack Detector (check the docs) so, if I make a mess of setting up a PC on the LAN, it does not immediately block me.

    We only have POPS and IMAPS enabled. The only ports open are 465, 587, 993, 995.
    I have already whitelisted my LAN :-) I've made the changes to the maxretry to 1. We'll see how it goes in the next 24 hours.

  • Nuke
    Nuke replied to a discussion, Fail2ban - pam unix

    Nick Howitt wrote:

    You can't block pam_unix messages as they don't have IP addresses, iirc. Check for the equivalent messages in /var/log/maillog. Also have a look in /var/log/fail2ban.log to see if these are being detected.
    Do you have the cyrus-imap filter enabled in the Attack Detector.

    Thanks so far, Nick.
    I have found many of the authorization issue in the "messages" log. I can roughly correlate to the time in the "fail2ban.log" and "maillog".

    Yes, the jail [cyrus-imap] is enabled in the Attack Detector. I think it is actually in my jail.local also.

    It looks like it's being found but multiple attempts are made each time. Not every login attempt is logged in fail2ban. And I see the buggers are flipping between IP addresses x.x.x.29, x.x.x.228, x.x.x.227 etc. etc. They are doing 4 attempts with each user name. Do I need something in the fail2ban regex that searches for instances within the /24 network address??

    I have added the countryblock for Estonia 3-4 days ago. This is where this is located. They still appear to be able to get through to one or more of the ports.

    I've tried to tune my jail.local with 2 failed attempts within 60 min then ban.

    Here is an example from the logs:

    I've had some difficulties googling for how to setup and tune jails. the fail2ban developer wiki is interesting but doesn't have many examples so it's a challenge to figure out what I might need or do. Is there a resource that you can recommend?

  • Nuke
    Nuke started a new discussion, Fail2ban - pam unix

    Fail2ban - pam unix

    I finally had some time to start back on this over the holidays.
    I'm a bit lost and would appreciate some guidance.
    In the daily logs (logwatch), I'm getting many authentication failures under the heading "pam_unix". I thought I had fail2ban set up to catch all the authentication failures but it looks like I'm missing something.

    Some background.
    I have fail2ban finally working. I have jails [postfix-sasl], [postfix-auth] (thanks Nick), [cyrus-imap], [openvpn].
    I am running postfix and have following mail ports open: 25, 465, 587, 993, 995. imap or pop unsecure are not open.
    The only other ports open are the Clear 1875, NTP, OpenVPN, 80 & 443 for the webserver/apache.

    Can you give me some suggestions as to what I should be looking at to figure out what jail I am missing to catch and start to block these connection attempts?


  • Thanks so much Nick.

    I used the iptables command on the CLI and it worked. I can ping and access the WAP from the wired network. Thank you!

    Now I have to figure out the Custom Firewall addition. I suspect this have to be added to the /etc/clearos/firewall.d/custom? Or can it be added to the GUI?

  • Nick Howitt wrote:

    As the AP is a router, see if it has an option to allow access to it or management of it from the internet and enable it. Otherwise it could be firewalled just to allow access from its LAN. If it is really important, you may be able to add a custom firewall rule something like:
    Try it from the command line first, changing "$IPTABLES" to "iptables".

    Hi Nick,
    I haven't been able to find an option in the AP to allow management from the internet. It appears to be an option only available when it is in Router mode.

    I'm learning more about the IPTABLES as I move forward in trying to figure out both your suggested command an also figuring out why the only F2B jail that seems to work is the cyrus-imap.

    Your suggested IPTABLE command has me a bit stumped. I am assuming this is to create a route from LAN to the WIFI Access Point (WAP) and fake the WAP to think it is being accessed via the WIFI segment?

    Are the _WAP_IP and _ClearOS_WiFi_segment_LAN_IP the same? I presume that "_WAP_IP" is "wireless access point"( If not, is the "_ClearOS_WiFi_segment_LAN_IP" the ethernet card/gateway ( that connects to the WAP?