Fail2Ban: regex pour relais smtp

Fail2Ban: regex pour relais smtp

Si vous mettez en place un relais smtp sur votre serveur, des robots peuvent tenter de forcer l’accès en force brute pour transformer votre machine en machine à SPAM.

Dans mes logs je peux facilement remarquer que 118.167.128.72 s’acharne à la tache (tout en étant assez intelligent pour ne pas exploser le max connection rate):

Feb 12 05:22:20 ubuntuserv postfix/smtpd[20950]: lost connection after RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:22:20 ubuntuserv postfix/smtpd[20950]: disconnect from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max connection rate 1/60s for (smtp:118.167.128.72) at Feb 12 05:22:19
Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max connection count 1 for (smtp:118.167.128.72) at Feb 12 05:22:19
Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max cache size 1 at Feb 12 05:22:19
Feb 12 05:31:20 ubuntuserv postfix/smtpd[22890]: connect from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:31:21 ubuntuserv postfix/smtpd[22890]: NOQUEUE: reject: RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]: 554 5.7.1 <s2288@mail2000.com.tw>: Relay access denied; from=<itidgh483987@hotmail.com> to=<s2288@mail2000.com.tw> proto=SMTP helo=<79.132.57.102>
Feb 12 05:31:22 ubuntuserv postfix/smtpd[22890]: lost connection after RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:31:22 ubuntuserv postfix/smtpd[22890]: disconnect from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max connection rate 1/60s for (smtp:118.167.128.72) at Feb 12 05:31:20
Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max connection count 1 for (smtp:118.167.128.72) at Feb 12 05:31:20
Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max cache size 1 at Feb 12 05:31:20
Feb 12 05:40:38 ubuntuserv postfix/smtpd[24764]: connect from 118-167-128-72.dynamic.hinet.net[118.167.128.72]
Feb 12 05:40:39 ubuntuserv postfix/smtpd[24764]: NOQUEUE: reject: RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]: 554 5.7.1 <s2288@mail2000.com.tw>: Relay access denied; from=<itidgh483987@hotmail.com> to=<s2288@mail2000.com.tw> proto=SMTP helo=<79.132.57.102>

Pour se protéger des attaques en force-brute le classique Fail2Ban, il manque juste l’expression régulière qui va bien:

NOQUEUE\: reject\: RCPT from .*\[<HOST>\]: .*: Relay access denied;

que l’on ajoute dans /etc/fail2ban/filter.d/couriersmtp.conf qui devient:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "&lt;HOST&gt;" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P&lt;host&gt;[\w\-.^_]+)
# Values:  TEXT
#
failregex = error,relay=&lt;HOST&gt;,.*550 User unknown
NOQUEUE\: reject\: RCPT from .*\[<HOST>\]: .*: Relay access denied;
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

et on n’oublie pas de valider le filtre dans /etc/fail2ban/jail.conf en passant enabled à true dans la section couriersmtp

[couriersmtp]
enabled  = true
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log</pre>