skip to content

System: fail2ban and sendmail

Following on from the article on fail2ban and iptables this article looks at changing the configuration file so that we can monitor the mail.log file and take action against suspect connections over smtp (port 25).

Again, some of the files/methods described here may be specific to Debian (Sarge).

Changes to fail2ban.conf

To start with we need to create (and enable) a new section in /etc/fail2ban.conf giving instructions on where to find the logfile and what do look for:

[SMTP] enabled = true logfile = /var/log/mail/mail.log

When the daemon starts we need to go through a similar process as for blocking SSH break-in attempts. The fwstart commands create a new chain called fail2ban-mail and add a JUMP command to the INPUT chain. The fwend commands have the effect of removing both the JUMP command and the new chain:

The fwcheck command simply lets fail2ban know how to check whether the fail2ban-mail chain exists.

fwstart = iptables -N fail2ban-mail iptables -A INPUT -p tcp --dport 25 -j fail2ban-mail fwend = iptables -D INPUT -p tcp --dport 25 -j fail2ban-mail iptables -F fail2ban-mail iptables -X fail2ban-mail fwcheck = iptables -L INPUT | grep -q fail2ban-mail

Now to the 'active' components. When a match is found for the failregex expression (see below). The fwban command adds a rule to the fail2ban-mail chain instructing iptables to REJECT all packets from the relevant host. The fwunban command removes this rule. The timeregex and timepattern are the same as for auth.log:

fwban = iptables -A fail2ban-mail -p tcp -s <ip> -j REJECT --reject-with tcp-reset fwunban = iptables -D fail2ban-mail -p tcp -s <ip> -j REJECT --reject-with tcp-reset timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} timepattern = %%b %%d %%H:%%M:%%S

Finally we come to the regular expression. There are a number of mail.log entries that you might want to monitor but it's tricky to cover them all with a single regexp. The regexp presented here:

failregex = [[](?P<host>\S*)[]] (?:did not issue|[(]may be forged[)])

will match lines in the mail log matching either of the following:

... [<host>] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA ... ... [<host>] (may be forged) ...

All you have to do now is stop/start the daemon as described in the previous article.

Changes for fail2ban 0.8

After a long wait, fail2ban now supports the use of multiple regular expressions in a single rule, making all our lives that much easier. There is also a whole new configuration system which I won't go into here as it's already quite well documented.

Here is a sample failregex that you might want to use for the sendmail filter:

failregex = \[<HOST>\] .*to MTA \[<HOST>\] \(may be forged\) \[<HOST>\], reject.*\.\.\. Relaying denied

Note the use of the new <HOST> predefined entity, which matches either a hostname or an IPv4 address.

These regular expressions will match and block any/all of the following:

... lost input channel from [<HOST>] to MTA after data ... ... [<HOST>] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA ... ... [<HOST>] (may be forged) ... ... [<HOST>], reject.*... Relaying denied ...

There are also some helpful command-line tools for testing your regular expressions:

# fail2ban-regex /var/log/mail.log "\[<HOST>\], reject.*\.\.\. Relaying denied"

You can start/stop individual jails while fail2ban is still running:

# fail2ban-client reload sendmail

And you can query most aspects of the configuration:

# fail2ban-client get sendmail failregex The following regular expression are defined: |- [0]: \[(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)\] .*to MTA |- [1]: \[(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)\] \(may be forged\) `- [2]: \[(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)\], reject.*\.\.\. Relaying denied

References

< System

User Comments

Post your comment or question

13 October, 2008

Hello
I have been trying to configure fail2ban to work with my Sendmail. I followed your script but keep getting the following error:
"ERROR no 'host' group in '[<host<]"
I am running Fail2Ban V 8.2 on CentOS 5.
Any help would be greatly appreciated.
Thanks

top