fail2ban no detecta el ataque de fuerza bruta de contraseña SMTP

tag-icon tag-icon debian security postfix fail2ban sasl
fail2ban no detecta el ataque de fuerza bruta de contraseña SMTP

Los spammers están ejecutando ataques de fuerza bruta para adivinar contraseñas en mi servidor (postfix en Debian). Ya adivinaron las contraseñas de dos usuarios y comenzaron a enviar spam usando mi servidor. Se cambiaron las contraseñas y se mitigaron los ataques (por ahora), pero quiero bloquearlos por completo.

Instalé fail2ban, pero por alguna razón no detecta los ataques.

/etc/fail2ban/fail.confcontiene:

[sasl]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
#logpath  = /var/log/mail.log
logpath  = /var/log/mail.warn

/etc/fail2ban/filter.d/sasl.confcontiene:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Cuando ejecuto el filtro /var/log/mail.warn, produce resultados:

# fail2ban-regex /var/log/mail.warn '(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$'

Running tests
=============

Use regex line : (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|P...
Use log file   : /var/log/mail.warn


Results
=======

Failregex
|- Regular expressions:
|  [1] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
|
`- Number of matches:
   [1] 15293 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    123.169.7.222 (Sun Feb 25 06:40:18 2018)
    123.169.7.222 (Sun Feb 25 06:40:21 2018)
...
    185.173.176.157 (Fri Mar 02 10:12:46 2018)
    185.173.176.157 (Fri Mar 02 10:13:15 2018)
    185.173.176.157 (Fri Mar 02 10:13:43 2018)
    185.173.176.157 (Fri Mar 02 10:14:11 2018)
    185.173.176.157 (Fri Mar 02 10:14:41 2018)
    185.173.176.157 (Fri Mar 02 10:15:13 2018)
    185.173.176.157 (Fri Mar 02 10:15:42 2018)
    185.173.176.157 (Fri Mar 02 10:16:13 2018)
    185.173.176.157 (Fri Mar 02 10:16:42 2018)
    185.173.176.157 (Fri Mar 02 10:17:10 2018)

Date template hits:
34294 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 15293

However, look at the above section 'Running tests' which could contain important
information.

A pesar de todo eso, /var/log/fail2ban.logno muestra el bloqueo de la dirección IP infractora.

Actualizar

Siguiendo las sugerencias, incrementé el nivel de registro. Esta espectáculos:

2018-03-02 12:47:55,920 fail2ban.filter : DEBUG  Processing line with time:1519986602.0 and ip:185.173.176.157
2018-03-02 12:47:55,920 fail2ban.filter : DEBUG  Ignore line since time 1519986602.0 < 1519987675.92 - 600
2018-03-02 12:47:55,920 fail2ban.filter : DEBUG  Processing line with time:1519986635.0 and ip:185.173.176.157
2018-03-02 12:47:55,920 fail2ban.filter : DEBUG  Ignore line since time 1519986635.0 < 1519987675.92 - 600

El jail.conf tiene:

bantime  = 600
maxretry = 3

Respuesta1

Del Ignore line since time 1519986602.0 < 1519987675.92 - 600registro de registro ylos documentos, supongo que ese 600es el valor de la findtimeopción. Es decir, los intentos de descifrado desde una IP determinada parecen llegar a pasos mayores que findtime, y por lo tanto son ignorados por fail2ban.

1519987675.92-1519986602.0es 1073.92o alrededor de 18 minutos.

Una solución a prueba de balas sería exigir el uso de TLS en la interfaz de Internet y exigir la verificación de que los certificados presentados por los clientes sean emitidos por una CA confiable.

información relacionada