Welcome to TQ CMS knowledge base. Here you will find useful information for all sorts of things.

Using fail2ban with Kerio Connect mailserver


 

Fail2ban is a simple tool that reads log files looking for specified patterns and can add iptables rules based upon what it finds. It comes with built in configuration for ssh, ftp and other common services. You can find other less common configurations at the project webpage.

I wanted to have fail2ban monitor Kerio log files. This is mostly unnecessary: Kerio Connect has internal configuration settings that can block sites that try to send mail to too many unknown users and so on. However, blocking them outright does lessen the load on the server and may help convince them not to bother with us again.

You won't find a fail2ban configuration for Kerio Connect mailserver. It's not difficult to add this, but you do have to make some adjustments.

Configuration of fail2ban itself is simple enough: you need to add a "jail" stanza to /etc/fail2ban/jail.conf. That will look like this:

[kerio]

enabled = true
filter  = kerio
logpath  = /var/log/mail.log
bantime  = 1200
maxretry = 3
action   = iptables-multiport[name=kerio, port="imap,smtp,imaps,smtps",
protocol=tcp]
 

Note that this refers to a "filter". You'll need to create that in the /etc/fail2ban/filter.d directory. It will be named "kerio.conf" and will look something like this:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified for Kerio by A.P. Lawrence
#
# $Revision: 728 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]


# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values:  TEXT
#
failregex = SMTP Spam attack detected from ,
            IP address  found in DNS blacklist
            Relay attempt from IP address 
            Attempt to deliver to unknown recipient .*,.*, IP address 

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
 

Notice the multiple lines following the "failregex =". These are the lines fail2ban will be looking for in the logfile and "" is where it will find the ip address. If it sees matching lines "maxtry" times within "findtime" seconds (I reduced that from the default of 600 seconds), it will perform the "action" (blocking that ip with iptables).

Simple enough, right? Yes, but, Kerio doesn't log to /var/log/mail.log by default. More importantly, Kerio writes date stamps in a format that fail2ban does not understand, so you can't just point fail2ban at /opt/kerio/mailserver/store/logs/security.log.

However, you can tell Kerio Connect to use syslog instead of (or in addition to) its own log. In the administration browser, select the Security log and right-click in the window where the log lines display. Click on Settings and then on the External Logging tab. As shown here, I asked it to log to localhost.

setting Kerio to syslog

Your syslog needs to listen for "remote" clients. This is true even if you are running on the same machine as I am here. On this machine, I had to uncomment these lines in /etc/rsyslog.conf:

$ModLoad imudp
/etc/rsyslog.conf:$UDPServerRun 514
 

and restart the syslog server.

/etc/init.d/rsyslog restart
 

The fail2ban starts up (/etc/init.d/fail2ban restart) and adds chains to iptables:

# iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-kerio  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 143,25,993,465 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0    
 

After a very short wait, fail2ban started adding to those chains (I'm showing the relevant chain only):

# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination         
DROP       all  --  189.104.140.96       0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
 

Sometime later, a different set of IP's are banned (failtoban removes the rule after "bantime" seconds).

# iptables -n -L fail2ban-kerio
Chain fail2ban-kerio (1 references)
target     prot opt source               destination
DROP       all  --  83.149.46.234        0.0.0.0/0
DROP       all  --  200.85.123.34        0.0.0.0/0
DROP       all  --  189.82.35.144        0.0.0.0/0
DROP       all  --  200.223.61.18        0.0.0.0/0
DROP       all  --  201.51.251.94        0.0.0.0/0
DROP       all  --  118.71.57.99         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

If Kerio did not have the ability to use syslog, we would have had to filter the log file and rewrite it for fail2ban. That's not particularly hard to do - here's a Perl script designed to be used in a "tailf /opt/kerio/mailserver/store/logs/security.log" pipeline:

#!/usr/bin/perl
use IO::Handle;
open(O,">/var/log/keriosecurity.log");
O->autoflush(1);
while (<>) {
s/\[//g;
s/\]//g;
($day,$time,@rest)= split /\s+/;
@timestamp=split ?/?,$day;
$replace="$timestamp[1] $timestamp[0] $time : ";
print O "$replace @rest\n";;
}
 

That will take Kerio log files that might look like this:

[17/Jun/2011 17:00:45] Attempt to deliver to unknown
recipient , from
, IP address 200.90.149.178
 

and rewrite them in /var/log/keriosecurity.log to look like this:

Jun 17 17:00:45 :  Attempt to deliver to unknown
recipient , from
, IP address 200.90.149.178
 

Your fail2ban configuration would set "logpath=/var/log/keriosecurity.log".

There is 56 guides in the database.

More news

Bootstrap
25 February, 2014

Bootstrap

I have implemented bootstrap into the project and changed all code in the administration to use this new framework and I really love the result that I see after a couple of hours of coding. To make things look so good has never been so easy as with
Guides
20 February, 2014

Guides

I have added some of my guides for different things when it comes to the different areas in the computer, I will continue to add guides and especially when it comes to things that I am using every now and then in my own work.
First phase completed
17 February, 2014

First phase completed

Then I had time to finish the dirty work with the page and now it only remains little touches here and there and I need to upload information about what I'm doing and my progress on the project as well.
Time for a change
16 February, 2014

Time for a change

Today I've decided to update my own personal website with the latest version of my project called TQ CMS and with a completely new design that is responsive. My goal with this project is to make it as easy as possible for the end user while

Spotlight

The next step

The next step

I have now resumed my programming after a couple of months of vacation which was very much needed. I got a call one day from a friend that needed a system which can handle peoples reports on various problems like kitchen problems, water problems etc and I decided to make a system for it. Little did I know that it would totally revolutionise my own project and that it would teach me much needed jquery skills to further enhance the CMS. I also