Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » kerio filter for fail2ban
  •  
taittinger_hi

Messages: 5
Karma: 0
Send a private message to this user
Has anyone made a filter configuration to block random attempts on POP3 (and SMTP) for fail2ban?

Fail2ban would be great to block these attempts in the kerio warning log:

[20/Dec/2009 16:35:59] POP3: User user<_at_>example doesn't exist. Attempt from IP address XXX.XXX.XX.XX


and

[22/Nov/2009 00:05:01] POP3: Invalid password for user user<_at_>example. Attempt from IP address XXX.XXX.XX.XX


Fail2ban works great with the standard filters included in the package, but I can't find a working config for kerio unfortunately ...

Anyone managed to write a working filter config for fail2ban?

Help would be really appreciated!

Thanks,

Tom.
  •  
cn64

Messages: 3
Karma: 0
Send a private message to this user
Hi Tom,

I have...
Still interested in a solution?
Regards
Chris
  •  
taittinger_hi

Messages: 5
Karma: 0
Send a private message to this user
Hi Chris,

I'm still very interested in a working solution for fail2ban + kerio.
We run Kerio 6.7.3 on Ubuntu 8.04 LTS (64-bit).

Thanks for your reply and looking forward to your solution!

Kind Regards,

Tom
  •  
cn64

Messages: 3
Karma: 0
Send a private message to this user
Hi Tom,

Sorry for coming back so late - I was "on the road" the weekend.
Let´s get it then step by step.
I also struggled a couple of days until I finally got the idea of transforming the Kerio logfiles. I managed to do this through the syslog deamon - please check your syslog daemon towards the availability of using the "resource": file() (to survey log files) - if the daemon is not able to read logfiles through the resource file (you´ll get an error message like "permission denied" if the daemon won´t be able to handle the file resource) then you´ve got to update to a newer version - i.e. > 3.0.
I performed the following steps:

cd /var/log
touch kerio_security.log (no need of changing permissions)

I had to install the syslog-ng 3.0 from its sources, because my version did not handle the resource file().
I configured my daemon with the following entries:

cd /opt/syslog-ng/etc
vi (or any other editor of your choice) syslog-ng.conf

add the resource:
source kerio_security {file("/opt/kerio/mailserver/store/logs/security.log"); };

add the filter:
filter f_kerio_sec {level (debug,info,notice,warning,error,crit,alert,emerg); };

add the destination:
destination kerio_sec { file("/var/log/kerio_security.log");};
log { source(kerio_security); filter(f_kerio_sec); destination(kerio_sec); };

Restart the syslog daemon and check if the entries in /var/log/kerio_security.log are similar to the ones in the original logfile

Now configure fail2ban (I´m using banaction = route in fail2ban, because of collisions in my iptables-fw):

jail.conf:

[kerio_security]
enabled = true
filter = kerio_security
action = route
mail-whois[name=kerio-security, dest=xxx, sender=root]
logpath = /var/log/kerio_security.log
maxretry = 3
bantime = 1200

Filter:
cd /etc/fail2ban/filter.d
touch kerio_security.conf
vi kerio_security.conf

failregex = .* Failed (POP3|IMAP) login from <HOST>.*$
.* SMPT Spam attack detected from <HOST>.*$

Action:
cd /etc/fail2ban/action.d
touch route.conf

Configure route.conf with the following entries:
[Definition]
actionban = ip route add unreachable <ip>
actionunban = ip route del unreachable <ip>

Don´t forget to add the /var/log/security_log to your logrotate daemon - otherwise you might quickly get a gigantic logfile.

That´s it!
Cheers
Chris

[Updated on: Tue, 26 January 2010 13:32]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
If you're going to use syslog, I strongly recommend to NOT USE the security log file from the Kerio MailServer as a source.
Configure security log in KMS to log to the syslog instead. It is much cleaner, easier and reliable solution.
  •  
cn64

Messages: 3
Karma: 0
Send a private message to this user
Hi Tom,

did you already check my solution?
Regards
Chris
  •  
taittinger_hi

Messages: 5
Karma: 0
Send a private message to this user
Hello Chris,

Many, many thanks in advance for your clear explanation! I will check the solution asap and will for sure post feedback.

Kind Regards,

Tom
Previous Topic: Custom webmail client
Next Topic: Migration from Exchange 2000 to Kerio 6.7
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 19 09:12:34 CEST 2017

Total time taken to generate the page: 0.00449 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.