Topic: highly recommended: improve security with fail2ban contrib

[hanscees]

Fail2ban is an excellent security-improvement to sme-server and for that matter for any (Linux) server on the internet.
It adds a layer of security to the normal firewall and therefore improves the defence-in-depth strategy.
It adds functionally both to host based intrusion detection (detect password attacks and scan attacks, log them and email them) and to intrusion prevention (block ip-'s that are attacking).

This sounds simple and is simple, but is incredably important. Notice also that fail2ban is an functional addition to firewall rules (usually iptables) that block or limit ip-adresses in that fail2ban can additionally detect bruteforce password attacks on ssh, imap and so on.

Fail2ban is written in python, daemonized and easily extendable (as the contrib on sme has extended it for qpsmtpd: good job!)

Read general info about fail2ban here:
manual http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
sme-contrib http://wiki.contribs.org/Fail2ban

Howto's
http://www.the-art-of-web.com/system/fail2ban/
http://www.the-art-of-web.com/system/fail2ban-howto/
http://www.fail2ban.org/wiki/index.php/HOWTOs

The contrib above describes how you can install it on sme8 or sme9

tips & tricks
does it run? /etc/init.d/fail2ban status
restart (after config change): fail2ban-client reload
Or: /etc/init.d/fail2ban stop && /etc/init.d/fail2ban start
sme-style:  signal-event fail2ban-conf

What hackers / scans have we caught?
fail2ban-client status
fail2ban-client status imap
fail2ban-client status qpsmtpd

Sme-style:
zgrep -h "Ban " /var/log/fail2ban/daemon.log*
zgrep -h "Ban " /var/log/fail2ban/daemon.log* | awk '{print $NF}' | sort | uniq -c
 
watch iptables: iptables -vnL --line-numbers



Adjust templates (very optional).
The sme-contrib does not use direct iptables rules, but uses the intermediate signal-event system. I find this unnessesary and a potential source of error (don't fix what is not broken), so I adjusted the source templates back to the original fail2ban code for iptables actions:

Where are the SME-style (contribs) fail2bantemplates?
ls /etc/e-smith/templates/etc/fail2ban/jail.conf/

Make adjusted templates
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cd /etc/e-smith/templates/etc/fail2ban/jail.conf/
cp ./30* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
cp ./90* /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/
ls /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/

Adjust templates so that original code is restored when it comes to iptables and the /etc/fail2ban/jail.conf looks like this:


################################### sme jail file NEW
[DEFAULT]
ignoreip = 127.0.0.0/8 .....
bantime  = 1800
findtime  = 900
maxretry = 3
usedns = yes
backend = auto

[ssh]
enabled  = true
filter   = sshd
logpath  = /var/log/sshd/current
action   = iptables[name=SSH, port=ssh, protocol=tcp]

[ssh-ddos]
enabled  = true
filter   = sshd-ddos
logpath  = /var/log/sshd/current
action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]

[imap]
enabled  = true
filter   = dovecot
logpath  = /var/log/dovecot/current
action  = iptables-multiport[name=dovecot, port="143,993", protocol=tcp]

[qpsmtpd]
enabled  = true
filter   = qpsmtpd
logpath  = /var/log/*qpsmtpd/current
maxretry = 9
action  = iptables-multiport[name=Qpsmtpd, port="25,465", protocol=tcp]

[http-overflows]
enabled  = true
filter   = apache-overflows
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-overflows,port="80,443"]

[http-noscript]
enabled  = true
filter   = apache-noscript
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-noscripts,port="80,443"]

[http-scan]
enabled  = true
filter   = apache-scan
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-scan,port="80,443"]

[http-auth]
enabled  = true
filter   = apache-auth
logpath  = /var/log/httpd/error_log
action = iptables-multiport[name=apache-auth,port="80,443"]

[pam-generic]
enabled  = true
filter   = pam-generic
logpath  = /var/log/secure
maxretry = 6
action  = iptables-allports[name=pam,protocol=all]

[ftp]
enabled  = true
filter   = proftpd
logpath  = /var/log/secure
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban/daemon.log
bantime  = 604800
findtime = 86400
maxretry = 5
backend  = polling
action   = iptables-allports[name=recidive,protocol=all]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

################################################################

[piran]

Following...
http://wiki.contribs.org/Fail2ban

SME8.1 shows this after the YUM install command...

Code: [Select]

Transaction Check Error:
  file /etc/fail2ban/filter.d/sogo-auth.conf conflicts between attempted installs of fail2ban-0.8.14-1.el5.noarch and smeserver-fail2ban-0.1.5-1.el5.fws.noarch
PostEdit: Daniel fixed issue :: installer now installs (SME8.1)

[piran]

Looking elsewhere for whatever I found...
http://forums.contribs.org/index.php/topic,50918.msg258036.html#msg258036
...could that be the cause here on my SME8.1 box?
I have no specific use for SOGO groupware.

[piran]

Google found me...
http://bugs.contribs.org/attachment.cgi?bugid=8341&action=viewall
...which seems to point to a x64 solution.
Perhaps the associated x32 one was not implemented or could not be done?
The SME8.1 version of this contrib cannot be installed?

PostEdit: Daniel fixed issue :: installer now installs (SME8.1)

[stephdl]

thank hanscees, you should add these informations to the wiki page

[piran]

My bugzilla login is working :: have 're-opened' that x64 bug report/solution.
but my wiki login does not work so I cannot amend the wiki or warn others.
Now fixed :: updated my records for the wiki:-)
Wiki drove me to try to install and I now know it fails... the wiki should warn others.

[stephdl]

IMHO the wiki is not here to let warning, You ought to wait the answer of the dev (Daniel) either in BZ or in the forum.
The wiki is used to give advices and guidances on command line.

follow this tutorial to get a wiki edit account http://wiki.contribs.org/Help:Contents#How_to_get_a_wiki_account.3F

[piran]

Already done.
Will wait a short while for a dev response.
If not will update the wiki.

[hanscees]

thank hanscees, you should add these informations to the wiki page

thanks, I will after a while.

I haven't figured out howto add whitelist ip-adresses though, or a whole subnet. The howto states howto unban, but that is not the same as whitelist I think?

[piran]

I don't have anything working yet (as you know) but
whitelisting (no blocking ever) is done with ignoreIP
whereas fwunban removes the DROP chain from the
iptables chain.

[hanscees]

I don't have anything working yet (as you know) but
whitelisting (no blocking ever) is done with ignoreIP
whereas fwunban removes the DROP chain from the
iptables chain.

but howt says it can be done with the sme db command. I do not understand how exactly:


#############
DB command
there is no panel yet you can manage the contrib by the db configuration, it is quite simple
# config show fail2ban
fail2ban=service
   Mail=enabled
   status=enabled
Available options are below:
IgnoreIP: a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Exemple: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted

[piran]

I've never seen or heard of this fail2ban before now
and the installer does not work so I cannot play but
as a sheer guess...
fail2ban-client set qpsmtpd ignoreip w.x.y.z

PostEdit: in response to janet's later post

[stephdl]

Code: [Select]

{

use esmith::NetworksDB;
use Net::IPv4Addr;

my $n = esmith::NetworksDB->open_ro() ||
  die "Couldn't open networks DB\n";

my @ip = ("127.0.0.0/8", $LocalIP);

# Add hosts which can access the server-manager to the whitelist
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
    push @ip, "$ip/$bits";
}

unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
  foreach my $net ($n->networks){
    my $key = $net->key;
    my $mask = $net->prop('Mask');
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$key/$mask");
    push @ip, "$ip/$bits";
  }
}

# Add a local whitelist
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
    my $addr = $_;
    $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
    push @ip, "$ip/$bits";
}

$OUT .= "ignoreip = " . join(" ", @ip);

}

here the perl code to ignore certain IP

You said that :

Code: [Select]

but howt says it can be done with the sme db command. I do not understand how exactly:
simply do it

config setprop fail2ban IgnoreIP 87.95.86.15,12.45.69.78,12.13.25.00/24
 signal-event fail2ban-conf

[piran]

>> simply do it
Looking forward to it:-) Letting the SME automatically block
hostiles ...instead of me having to do it manually. Just need
to get past the YUM installer bug (using SME8.1 x32) as I'm
not ready to move the site into SME9 just yet.

[janet]

piran

I've never seen or heard of this fail2ban before now.....but
as a sheer guess...
fail2ban-client set qpsmtpd ignoreip w.x.y.z

Please do not put sheer guesswork answers here, I'm sure it will confuse others who are even less knowledgable.
The db command syntax is quite simple & to understand it you do not need to know about a specific contrib, please read
http://wiki.contribs.org/Db_command_tutorial

The same syntax style will apply to any use of the db command, just replace the db name & other variables & so on.

Edit: I should add that db commands only apply where the template code supports them.
You cannot just randomly create a new db entry (as I have seen some people do) without first creating the template code.
Where someone else has already created the appropriate template code, then published db commands should work as expected.
Note in the above posts that stephdl quoted the appropriate code to show that a certain db command would be functional.

[piran]

>>Please do not put sheer guesswork answers here
It was only one and labelled as such... now crossed out.
Now all I have to do is wait for an installer that installs
and I can then put fail2ban to work.

[stephdl]

indeed piran you gave a command to interface directly with fail2ban. But Daniel has developed some DB command for managing fail2ban with the standard sme way.
The first interest is for example if you do a backup of the sme in order to restore it on a new server, you will have all settings (not the contrib) in your next sme.

[piran]

>>you will have all settings (not the contrib) in your next sme.
Most useful, thank you, as I have still to surmount the hurdle into v9.

[stephdl]

your bug is set confirmed, I have also the same behaviour

It seems that the package provided by epel has the same rule than the package of daniel...please be patient, we are all volunteers

[janet]

To All

Note that sme9 now blocks ssh logins after 3 incorrect attempts in 15 minutes, or as configured by a db entry.
See
http://wiki.contribs.org/AutoBlock

Great care should be taken by contrib developers to ensure that contrib functionality does not interfere with default sme server functionality.
Manipulating firewall rules should be done the "sme server way" to avoid weakening the very good & strong security of sme server.

[hanscees]

To All

Note that sme9 now blocks ssh logins after 3 incorrect attempts in 15 minutes, or as configured by a db entry.
See
http://wiki.contribs.org/AutoBlock

Great care should be taken by contrib developers to ensure that contrib functionality does not interfere with default sme server functionality.
Manipulating firewall rules should be done the "sme server way" to avoid weakening the very good & strong security of sme server.

Autoblock is a great feature and sme server is a secure distribution, no doubt about it. The sme-server way for configuring with db entries is solid and good.

Having said this, fail2ban is an extended security feature that even improves on security. You should absolutely not take this as doubting the security of sme. It is just an added feature that has arisen somewhere in the open source community.

As for using the db feature for on-the-fly blocking of ip-addresses by fail2ban, this seems as ni improvement  to me. It makes something that works very well, and is very light, heavy and complex and needlessly difficult to maintain in my opinion. A server under heavy load with a severe portscan should not have to run a bunch of perlscripts to ban an ip address.

The iptables rulesof fail2ban insert themself in the beginning of the iptables input chain and work fine and fast without interfearing with any sme iptables rules. No need to worry as far as I can see.

[stephdl]

FYI
autoblock is disabled in sme8, but enabled by default in sme9, Thus Janet is right take time to disable it if you use fail2ban (it is my case)

You can enable it easily

# config setprop sshd AutoBlock
AutoBlock       AutoBlockTime   AutoBlockTries 
# config setprop sshd AutoBlock enabled      #or disabled
# signal-event remoteaccess-update
# config show sshd
sshd=service
    AutoBlock=enabled
    AutoBlockTime=900
    AutoBlockTries=4
    LoginGraceTime=600
    MaxAuthTries=2
    PasswordAuthentication=yes
    PermitRootLogin=yes
    Protocol=2
    TCPPort=22
    UsePAM=yes
    access=public
    status=enabled

[piran]

Thank you Daniel :: fail2ban now installed in my SME8.1 box.

[piran]

I tried stopping then starting fail2ban after which there is an error:

Code: [Select]

Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''Is there one or more of the given CONF files deficient or malformed?

PostEdit: Perhaps I should've set up templating first :: stopping/starting no longer shows this error.

[smeghead]

Has anyone changed the MaxRetry setting?

I just dropped it to 2 from the default of 3 & the value seems to have taken effect BUT but email notice I get of each ban still shows 9 attempts against qpsmtpd instead of 6 (the value should be MaxRetry * 3).

Where would I look in the contrib to find this setting used in sending the email?  All the values in the conf files I look ata all look correct.  If I'm not missing anything obvious then I'll post a bug.

My jail.conf file shows a value of 2, the same as the config db:

[root@104 ~]# config show fail2ban
fail2ban=service
    BanTime=43200
    FindTime=43200
    Mail=enabled
    MaxRetry=2
    status=enabled