Example of fail2ban configuration to ban servers spamming my postfix server?

Question

I have a small mail server at home and quite a restrictive filtering rules. I use logwatch and could see that 80 to 90% connections are rejected by my restrictive filtering rules. Most rejection result from rbl_client.

I'm desperately looking for a fail2ban configuration file example showing how to filter IPs spamming my server. I wish the ban would be for a long period (i.e. 1 month).

I also had a SYN flooding attempt on my mail server that I blocked using a firewall rule set by hand. Could fail2ban detect these too ?

Answer 1

I've just got sick of all the RBL spammers filling my logs, so I've setup my Postfix to ban them.

After doing so, load dropped because they were a lot!

Be aware that you have to implement some way of cleaning the banned list.

I'm planing to restart fail2ban on weekly basis.

Check out these rules: http://www.fail2ban.org/wiki/index.php/Postfix

Add them in: /etc/fail2ban/filter.d/postfix.conf (that's in Debian System!)

Also good to read this (search for fail2ban): http://workaround.org/ispmail/squeeze/sysadmin-niceties (some snippets from there).

In short:

1. In jail.conf set:

   [postfix]
   enabled  = true
   

2. Good to do if you're using dovecot (from link above): Create /etc/fail2ban/filter.d/dovecot-pop3imap.conf and add to it:

   [Definition]
   failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \   (auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
   ignoreregex =
   

3. Add section in jail.conf or jail.local:

   [dovecot-pop3imap]
   enabled = true
   port = pop3,pop3s,imap,imaps
   filter = dovecot-pop3imap
   logpath = /var/log/mail.log
   

4. Restart fail2ban and check iptables -nvL if the chains for postfix and courier are added. BEWARE: This is for Debian based systems. Check files paths for RH or others.

Answer 2

Just use Postfix directly to filter IPs using blocklists:

See http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions to reject using blocklist(s). Also read about the best place to put it in main.cf.

Here is a sample of some RBL entries (#Check Blocklists: portion) you could add to block blacklisted IPs. I have placed mine under smtpd_recipient_restrictions as it is an "expensive" check (server load and remote server RBL calls). If done earlier (for instance under smtpd_helo_restrictions) you tend to query the given RBL/blocklist site many times for nothing.

/etc/postfix/main.cf:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unlisted_recipient,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unauth_pipelining,
    check_client_access hash:/etc/postfix/blacklist,
#Check Blocklists:
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dul.dnsbl.sorbs.net,
#Postgrey:
    #finalize and throw at postgrey if passes above:
    #check_policy_service inet:[::1]:10023,'
    permit

If you really want to use Fail2Ban for blocklist processing:

• Use a Fail2Ban filter like f2b-postfix-rbl (postfix-rbl.conf) to filter the mail log for blocklist/blacklisted IP entries. It would then insert a new entry into iptables and it would be blocked for given ban time. You should state a ban time in specific jail definitions if not happy with default.

• Just restarting F2B or server, as stated in another answer, does not normally clear the bans before ban time expires. You will need to use fail2ban-client.

• And most importantly, Postfix + F2B + Banning will not help much as the script/bot/mailer will just move on after 1st failure and try you again on a different day from a different IP. Why outright IP banning (using F2B) is usually taking it a bit overboard (more server workload for nothing).

If you insist on fail2ban processing blocklists, make sure you enable it under a /etc/failban/jail.local:

[postfix-rbl]

enabled  = true
port     = smtp,465,submission
filter   = postfix-rbl
logpath  = /var/log/mail.log

To use rbl "mode" under newer versions, substitute the filter line with:

filter    = postfix[mode=rbl]

On earlier versions I had to change mine to detect "554 5.7.1" to pick up postfix log rejects via "postifx-rbl" filter. The newer version of filter seems to scan for this change under newer rbl "mode" versions.

As far as SYN flood - see this.

Answer 3

So the configuration has already been covered, and most of the settings for postfix are built into fail2ban and simply have to be uncommented. You may have to slightly adjust some of the paths.

Here's my addition. Modify the config to use ipset

Here's why

ipset create f2b-whatever counters timeout 43200

Now if it isn't detected it will timeout automatically.

You will have to create a service to save the list before you reboot and restore the list when the system starts up, but I have done it.

ipsets also optionally support comments if you ever wanted that functionality.

Also having a single iptables rule referencing ipset is faster cpu wise.