Fail2ban integration questions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Fail2ban integration questions

Phil Stracchino
This is semi-hypothetical ...

I often see spews of failed connect attempts logged by postscreen:

Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
[70.39.115.203]:54708 to [10.24.32.15]:25
Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from [70.39.115.203]:54708: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[70.39.115.203]:54708 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
[70.39.115.203]:54708
Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from
[70.39.115.203]:54865 to [10.24.32.15]:25
Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from [70.39.115.203]:54865: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[70.39.115.203]:54865 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
[70.39.115.203]:54865

and so on.  It would be nice to be able to automatically block these IPs
temporarily, and that's what fail2ban does.  However, I think fail2ban
makes the assumption that the firewall in use is iptables and that it's
running on the same host.  My firewall is in front of all the internal
servers, and runs shorewall as a front-end to iptables.

Has anyone set up fail2ban to trigger from postscreen rejections and
apply blocks to a firewall on a separate host?  And if so, any tips to
share?



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban integration questions

Noel Jones-2
On 9/12/2017 10:19 AM, Phil Stracchino wrote:

> This is semi-hypothetical ...
>
> I often see spews of failed connect attempts logged by postscreen:
>
> Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
> [70.39.115.203]:54708 to [10.24.32.15]:25
> Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
> from [70.39.115.203]:54708: EHLO ylmf-pc\r\n
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
> [70.39.115.203]:54708 in tests after SMTP handshake
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
> [70.39.115.203]:54708
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from
> [70.39.115.203]:54865 to [10.24.32.15]:25
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
> from [70.39.115.203]:54865: EHLO ylmf-pc\r\n
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
> [70.39.115.203]:54865 in tests after SMTP handshake
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
> [70.39.115.203]:54865
>
> and so on.  It would be nice to be able to automatically block these IPs
> temporarily, and that's what fail2ban does.  However, I think fail2ban
> makes the assumption that the firewall in use is iptables and that it's
> running on the same host.  My firewall is in front of all the internal
> servers, and runs shorewall as a front-end to iptables.
>
> Has anyone set up fail2ban to trigger from postscreen rejections and
> apply blocks to a firewall on a separate host?  And if so, any tips to
> share?
>
>
>


Tip #1: Ignore these.  The log entries are annoying, but other than
logs this causes pretty close to zero impact on your system.

Tip #2: If you just can't make yourself look away, remember that
fail2ban can run any script when it triggers. Can you script updates
to the external firewall?  Put that in fail2ban as the action.
(although remote control of firewall settings sounds like a
generally bad idea unless implemented very carefully)

Tip #3: It will probably be easier to activate the firewall on your
mail server and block connections locally rather than controlling an
external firewall.

Tip #4: Just ignore the log entries.  The same IP probably goes away
fairly soon, so blocking the IP probably doesn't do much good.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban integration questions

Phil Stracchino
On 09/12/17 12:32, Noel Jones wrote:
> Tip #1: Ignore these.  The log entries are annoying, but other than
> logs this causes pretty close to zero impact on your system.

> Tip #4: Just ignore the log entries.  The same IP probably goes away
> fairly soon, so blocking the IP probably doesn't do much good.

Yeah, I know the mail system impact is minimal ...   it's just that if I
see something banging on SMTP and getting refused, I kinda don't want it
banging on anything else either.

If fail2ban can run any script then yeah, I should be able to pretty
easily have it connect to the firewall and send a 'shorewall drop
1.2.3.4'.  I haven't ever installed fail2ban yet which is why I was
asking if anyone had any tips to share.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban integration questions

Marat Khalili
In reply to this post by Phil Stracchino
On 12/09/17 18:19, Phil Stracchino wrote:

Has anyone set up fail2ban to trigger from postscreen rejections and apply blocks to a firewall on a separate host? And if so, any tips to share?

Solved simpler task: separate host (container actually) but still iptables. Cloned iptables-multiport.conf and iptables-common.conf for this. Particularly problematic was the fact that hosts can be rebooted separately, and fail2ban tries to stop all filters on own exit and start again on own restart. Instead, you probably want rules to persist on non-fail2ban host when either host is rebooted. I don't have good solution for this, made it kinda work with series of kludges (good solution would probably require changing fail2ban source).

If your firewall is capable of running fail2ban, I'd consider sending postscreen logs to it instead.

--

With Best Regards,
Marat Khalili

Reply | Threaded
Open this post in threaded view
|

Re: Fail2ban integration questions

Phil Stracchino
On 09/12/17 14:19, Marat Khalili wrote:
> If your firewall is capable of running fail2ban, I'd consider sending postscreen logs to it instead.

Hmm.  That's an option I hadn't considered.

The firewall is an embedded device (Ubiquiti EdgeRouter POE/5), so I
don't have a gigantic amount of RAM or storage to play with, and I've
already added Shorewall and a couple of supporting tools.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958