Topic: highly recommended: improve security with fail2ban contrib

[hanscees]

Fail2ban is an excellent security-improvement to sme-server and for that matter for any (Linux) server on the internet.
It adds a layer of security to the normal firewall and therefore improves the defence-in-depth strategy.
It adds functionally both to host based intrusion detection (detect password attacks and scan attacks, log them and email them) and to intrusion prevention (block ip-'s that are attacking).

This sounds simple and is simple, but is incredably important. Notice also that fail2ban is an functional addition to firewall rules (usually iptables) that block or limit ip-adresses in that fail2ban can additionally detect bruteforce password attacks on ssh, imap and so on.

Fail2ban is written in python, daemonized and easily extendable (as the contrib on sme has extended it for qpsmtpd: good job!)

Read general info about fail2ban here:
manual http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
sme-contrib http://wiki.contribs.org/Fail2ban

Howto's
http://www.the-art-of-web.com/system/fail2ban/
http://www.the-art-of-web.com/system/fail2ban-howto/
http://www.fail2ban.org/wiki/index.php/HOWTOs

The contrib above describes how you can install it on sme8 or sme9

tips & tricks
does it run? /etc/init.d/fail2ban status
restart (after config change): fail2ban-client reload
Or: /etc/init.d/fail2ban stop && /etc/init.d/fail2ban start
sme-style:  signal-event fail2ban-conf

What hackers / scans have we caught?
fail2ban-client status
fail2ban-client status imap
fail2ban-client status qpsmtpd

Sme-style:
zgrep -h "Ban " /var/log/fail2ban/daemon.log*
zgrep -h "Ban " /var/log/fail2ban/daemon.log* | awk '{print $NF}' | sort | uniq -c
 
watch iptables: iptables -vnL --line-numbers



Adjust templates (very optional).
The sme-contrib does not use direct iptables rules, but uses the intermediate signal-event system. I find this unnessesary and a potential source of error (don't fix what is not broken), so I adjusted the source templates back to the original fail2ban code for iptables actions:

Where are the SME-style (contribs) fail2bantemplates?
ls /etc/e-smith/templates/etc/fail2ban/jail.conf/

Make adjusted templates
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cd /etc/e-smith/templates/etc/fail2ban/jail.conf/
cp ./30* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cp ./90* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
ls /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/

Adjust templates so that original code is restored when it comes to iptables and the /etc/fail2ban/jail.conf looks like this:


################################### sme jail file NEW
[DEFAULT]
ignoreip = 127.0.0.0/8 .....
bantime  = 1800
findtime  = 900
maxretry = 3
usedns = yes
backend = auto

[ssh]
enabled  = true
filter   = sshd
logpath  = /var/log/sshd/current
action   = iptables[name=SSH, port=ssh, protocol=tcp]

[ssh-ddos]
enabled  = true
filter   = sshd-ddos
logpath  = /var/log/sshd/current
action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]

[imap]
enabled  = true
filter   = dovecot
logpath  = /var/log/dovecot/current
action  = iptables-multiport[name=dovecot, port="143,993", protocol=tcp]

[qpsmtpd]
enabled  = true
filter   = qpsmtpd
logpath  = /var/log/*qpsmtpd/current
maxretry = 9
action  = iptables-multiport[name=Qpsmtpd, port="25,465", protocol=tcp]

[http-overflows]
enabled  = true
filter   = apache-overflows
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-overflows,port="80,443"]

[http-noscript]
enabled  = true
filter   = apache-noscript
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-noscripts,port="80,443"]

[http-scan]
enabled  = true
filter   = apache-scan
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-scan,port="80,443"]

[http-auth]
enabled  = true
filter   = apache-auth
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-auth,port="80,443"]

[pam-generic]
enabled  = true
filter   = pam-generic
logpath  = /var/log/secure
maxretry = 6
action  = iptables-allports[name=pam,protocol=all]

[ftp]
enabled  = true
filter   = proftpd
logpath  = /var/log/secure
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban/daemon.log
bantime  = 604800
findtime = 86400
maxretry = 5
backend  = polling
action   = iptables-allports[name=recidive,protocol=all]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

################################################################

[piran]

Following...
http://wiki.contribs.org/Fail2ban

SME8.1 shows this after the YUM install command...

Code: [Select]

Transaction Check Error:
  file /etc/fail2ban/filter.d/sogo-auth.conf conflicts between attempted installs of fail2ban-0.8.14-1.el5.noarch and smeserver-fail2ban-0.1.5-1.el5.fws.noarch
PostEdit: Daniel fixed issue :: installer now installs (SME8.1)

[piran]

Looking elsewhere for whatever I found...
http://forums.contribs.org/index.php/topic,50918.msg258036.html#msg258036
...could that be the cause here on my SME8.1 box?
I have no specific use for SOGO groupware.

[piran]

Google found me...
http://bugs.contribs.org/attachment.cgi?bugid=8341&action=viewall
...which seems to point to a x64 solution.
Perhaps the associated x32 one was not implemented or could not be done?
The SME8.1 version of this contrib cannot be installed?

PostEdit: Daniel fixed issue :: installer now installs (SME8.1)

[stephdl]

thank hanscees, you should add these informations to the wiki page

[piran]

My bugzilla login is working :: have 're-opened' that x64 bug report/solution.
but my wiki login does not work so I cannot amend the wiki or warn others.
Now fixed :: updated my records for the wiki:-)
Wiki drove me to try to install and I now know it fails... the wiki should warn others.

[stephdl]

IMHO the wiki is not here to let warning, You ought to wait the answer of the dev (Daniel) either in BZ or in the forum.
The wiki is used to give advices and guidances on command line.

follow this tutorial to get a wiki edit account http://wiki.contribs.org/Help:Contents#How_to_get_a_wiki_account.3F

[piran]

Already done.
Will wait a short while for a dev response.
If not will update the wiki.

[hanscees]

thank hanscees, you should add these informations to the wiki page

thanks, I will after a while.

I haven't figured out howto add whitelist ip-adresses though, or a whole subnet. The howto states howto unban, but that is not the same as whitelist I think?

[piran]

I don't have anything working yet (as you know) but
whitelisting (no blocking ever) is done with ignoreIP
whereas fwunban removes the DROP chain from the
iptables chain.

[hanscees]

I don't have anything working yet (as you know) but
whitelisting (no blocking ever) is done with ignoreIP
whereas fwunban removes the DROP chain from the
iptables chain.

but howt says it can be done with the sme db command. I do not understand how exactly:


#############
DB command
there is no panel yet you can manage the contrib by the db configuration, it is quite simple
# config show fail2ban
fail2ban=service
   Mail=enabled
   status=enabled
Available options are below:
IgnoreIP: a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Exemple: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted

[piran]

I've never seen or heard of this fail2ban before now
and the installer does not work so I cannot play but
as a sheer guess...
fail2ban-client set qpsmtpd ignoreip w.x.y.z

PostEdit: in response to janet's later post

[stephdl]

Code: [Select]

{

use esmith::NetworksDB;
use Net::IPv4Addr;

my $n = esmith::NetworksDB->open_ro() ||
  die "Couldn't open networks DB\n";

my @ip = ("127.0.0.0/8", $LocalIP);

# Add hosts which can access the server-manager to the whitelist
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
    push @ip, "$ip/$bits";
}

unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
  foreach my $net ($n->networks){
    my $key = $net->key;
    my $mask = $net->prop('Mask');
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$key/$mask");
    push @ip, "$ip/$bits";
  }
}

# Add a local whitelist
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
    my $addr = $_;
    $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
    push @ip, "$ip/$bits";
}

$OUT .= "ignoreip = " . join(" ", @ip);

}

here the perl code to ignore certain IP

You said that :

Code: [Select]

but howt says it can be done with the sme db command. I do not understand how exactly:
simply do it

config setprop fail2ban IgnoreIP 87.95.86.15,12.45.69.78,12.13.25.00/24
 signal-event fail2ban-conf

[piran]

>> simply do it
Looking forward to it:-) Letting the SME automatically block
hostiles ...instead of me having to do it manually. Just need
to get past the YUM installer bug (using SME8.1 x32) as I'm
not ready to move the site into SME9 just yet.

[janet]

piran

I've never seen or heard of this fail2ban before now.....but
as a sheer guess...
fail2ban-client set qpsmtpd ignoreip w.x.y.z

Please do not put sheer guesswork answers here, I'm sure it will confuse others who are even less knowledgable.
The db command syntax is quite simple & to understand it you do not need to know about a specific contrib, please read
http://wiki.contribs.org/Db_command_tutorial

The same syntax style will apply to any use of the db command, just replace the db name & other variables & so on.

Edit: I should add that db commands only apply where the template code supports them.
You cannot just randomly create a new db entry (as I have seen some people do) without first creating the template code.
Where someone else has already created the appropriate template code, then published db commands should work as expected.
Note in the above posts that stephdl quoted the appropriate code to show that a certain db command would be functional.