Installing a mailserver on Debian 8/9 – Part 10: Security: counter brute-force attacks with Fail2ban

How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

~ the howto that actually works ~

Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments

On this page

Installation
Block random address spammers
Users entering a wrong username/password combination for x times

Comments are on the last page.

On this page
On this page

Installation

Fail2ban reads logfiles and acts based on their entries. For example, it can recognize when someone has entered a wrong password six times in two minutes and lock them out for half an hour.

[code]
# aptitude install fail2ban
[/code]

Have Fail2ban start automatically at boot:
[code]
# systemctl enable fail2ban.service
[/code]

Copy the conf file to a local differential file:
[code]
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[/code]

In /etc/fail2ban/jail.local set the following values:
[code]
backend = polling
[/code]

(Alternatively set to auto but that made Fail2ban complain about pyinotify not being installed. That’s not problem: Fail2ban just tries all options but I don’t like complaints in my logfiles.)

[code]
mta = sendmail
destemail = your@email.here
[/code]

Set action:
action_ = just ban
action_mw = ban and mail
action_mwl = ban and mail with whois report and relevant log lines
I suggest _mwl but change it to your needs.

[code]
action = %(action_mwl)s
[/code]

Start Fail2ban:

[code]
# fail2ban-client start
[/code]

If it was already running:

[code]
# service fail2ban restart
[/code]

You should receive a mail notification at your specified e-mail address that Fail2ban has started.

Block random address spammers

Some spammers/phishers send mail to common e-mail addresses (john@; admin@) in the hope these addresses exist. If a sender sends mail to a bunch of non-existant addresses at the same time you may as well stop accepting mail from that sender.

In /etc/fail2ban/filter.d/postfix.conf add these lines under failrexeg:
[code]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
[/code]

(Source: http://www.fail2ban.org/wiki/index.php/Postfix)

in /etc/fail2ban/jail.local under [Postfix] set
[code]
enabled = true
[/code]

Users entering a wrong username/password combination for x times

This can indicate a brute-force attack. It’s up to you to decide if you want to use it. Personally I like to use it but set the limit higher than the default by adding
[code]
maxretry = 10
[/code]
to the jail definition in /etc/fail2ban/jail.local.

For Roundcube:
In /etc/fail2ban/jail.local under [roundcube-auth] set
[code]
enabled = true
[/code]

Also set
[code]
logpath = /var/log/roundcube/errors
[/code]

In /etc/fail2ban/filter.d/roundcube-auth.conf set:
[code]
failregex = IMAP Error: (FAILED login|Login failed) for .*? from <HOST>
[/code]

Likely someone will come up with a better regex to identify logon failures but for me this works.

For other imap clients:

In /etc/fail2ban/jail.local under [dovecot] set
[code]
enabled = true
[/code]

Afterwards do
[code]
# service fail2ban reload
[/code]

To manually unban a client do
[code]
# fail2ban-client set owncloud unbanip 192.168.1.2
[/code]

To manually check the Fail2ban’s ownCloud jail:
[code]
# fail2ban-client status roundcube-auth
# fail2ban-client status dovecot
# fail2ban-client status postfix
[/code]

Back to Top