Ron Leach
2016-03-01 17:26:25 UTC
List good afternoon,
An Exim4 mail server that I look after started suffering repeated
incorrect Auth attempts, always from the same IP address and nothing
to do with our users. The server runs on Debian oldstable (Wheezy)
and I looked into fail2ban to see if it could help to block the
attempts. Fail2ban uses .conf files per package to protect, and the
Wheezy fail2ban package comes with a pre-configured exim.conf file, to
define how fail2ban detects a malicious attack on exim; the file is
found in /etc/fail2ban/filter.d . But this pre-configured exim.conf
does not detect auth rejections (these are logged by Exim4 both in
/var/log/exim4/mainlog, and in /var/log/exim4/rejectlog). I added a
line to detect multiple auth failures, and I was pleased to see that
fail2ban immediately detected the attacks that were occurring and
that, since automatically banning that IP address, there have been no
subsequent repeat attacks showing in the logs. I thought I'd describe
the change I made to the standard configuration so that it may help
others trying to solve similar problems for the first time and,
because I have one remaining uncertainty, I'd like to end this post
with a question.
The preconfigured exim.conf in Wheezy's fail2ban contains this stanza
which defines what fail2ban should treat as an attack:
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>:
Unrouteable address\s*$
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by
local_scan\(\): .{0,256}$
Exim logs incorrect auth attempts as, for example:
authenticator failed for (<some name>) [iii.jjj.kkk.lll]: 535
Incorrect authentication data (set_id=<attempted login name>)
Current versions of fail2ban allow multi-line 'failregex' stanzas, and
the definition in any line of the stanza can be satisfied to count
towards a trigger for a ban of the offending IP. So I added a line to
detect the '535' rejection message in the log. I don't understand
regex syntax, and I used an entry from fail2ban's website
http://www.fail2ban.org/wiki/index.php/Exim
while keeping the pre-configured detectors, so that my failregex
stanza looks like this:
ailregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>:
Unrouteable address\s*$
\[<HOST>\]: 535 Incorrect authentication data
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by
local_scan\(\): .{0,256}$
(For anybody else new to the game, wheezy's fail2ban is pre-configured
to *only* detect SSH attacks and so the exim protection needs to be both
(i) specifically added to fail2ban's jail.conf (because, though there
is an entry for postfix, there seems to be no pre-configured entry for
exim), and
(ii) then specifically enabled in jail.conf.)
This seems to have worked. There are no attacks, any more, from the
IP address that had been attempting to be authenticated for the
preceding few days. But this brings me to my last question.
Though I can see that no attacks have reached exim, and I can see that
fail2ban has decided to block that specific IP address, is there any
way that I check that any attacks were attempted and that, I guess,
iptables blocked the connection attempt? I didn't find any log file
under /var/log that seemed to show any inbound attempts.
Ron
An Exim4 mail server that I look after started suffering repeated
incorrect Auth attempts, always from the same IP address and nothing
to do with our users. The server runs on Debian oldstable (Wheezy)
and I looked into fail2ban to see if it could help to block the
attempts. Fail2ban uses .conf files per package to protect, and the
Wheezy fail2ban package comes with a pre-configured exim.conf file, to
define how fail2ban detects a malicious attack on exim; the file is
found in /etc/fail2ban/filter.d . But this pre-configured exim.conf
does not detect auth rejections (these are logged by Exim4 both in
/var/log/exim4/mainlog, and in /var/log/exim4/rejectlog). I added a
line to detect multiple auth failures, and I was pleased to see that
fail2ban immediately detected the attacks that were occurring and
that, since automatically banning that IP address, there have been no
subsequent repeat attacks showing in the logs. I thought I'd describe
the change I made to the standard configuration so that it may help
others trying to solve similar problems for the first time and,
because I have one remaining uncertainty, I'd like to end this post
with a question.
The preconfigured exim.conf in Wheezy's fail2ban contains this stanza
which defines what fail2ban should treat as an attack:
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>:
Unrouteable address\s*$
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by
local_scan\(\): .{0,256}$
Exim logs incorrect auth attempts as, for example:
authenticator failed for (<some name>) [iii.jjj.kkk.lll]: 535
Incorrect authentication data (set_id=<attempted login name>)
Current versions of fail2ban allow multi-line 'failregex' stanzas, and
the definition in any line of the stanza can be satisfied to count
towards a trigger for a ban of the offending IP. So I added a line to
detect the '535' rejection message in the log. I don't understand
regex syntax, and I used an entry from fail2ban's website
http://www.fail2ban.org/wiki/index.php/Exim
while keeping the pre-configured detectors, so that my failregex
stanza looks like this:
ailregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>:
Unrouteable address\s*$
\[<HOST>\]: 535 Incorrect authentication data
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by
local_scan\(\): .{0,256}$
(For anybody else new to the game, wheezy's fail2ban is pre-configured
to *only* detect SSH attacks and so the exim protection needs to be both
(i) specifically added to fail2ban's jail.conf (because, though there
is an entry for postfix, there seems to be no pre-configured entry for
exim), and
(ii) then specifically enabled in jail.conf.)
This seems to have worked. There are no attacks, any more, from the
IP address that had been attempting to be authenticated for the
preceding few days. But this brings me to my last question.
Though I can see that no attacks have reached exim, and I can see that
fail2ban has decided to block that specific IP address, is there any
way that I check that any attacks were attempted and that, I guess,
iptables blocked the connection attempt? I didn't find any log file
under /var/log that seemed to show any inbound attempts.
Ron