Blocking brute force attacks to Dovecot on CentOS

Posted in March 2012 by under sysadmin

Email accounts are generally protected using weak passwords, and yet those same email accounts are used for receiving password reminders, personal details, email to family and friends and so on.

It is also getting more common for people to leave email online in "the cloud" rather than download all mail using an email client. This combination makes a tempting target for attackers. If they can access your email, they can gain a great deal of useful information.

Aside from protecting privacy, brute force attacks against your server fill up the log files and waste server resources and in some cases can cause service disruption.

There are may ways to stop this problem escalating, one of the simplest is to use Fail2Ban.

Installing Fail2Ban on CentOS

To install fail2ban using Yum you will need to add a repository as Fail2Ban is not included in CentOS by default. ATrpms and rpmforge are both suitable.

Then as root, run:

yum install fail2ban
            

Fail2Ban is not yet running. You can check this using

service fail2ban status
            

Configuring Fail2Ban

Firstly we will tidy up the defaults. Edit /etc/fail2ban/fail2ban.conf and replace the email address of "dest" and "sender" to be the addresses you want the notification emails to go to and come from or else comment out the sendmail line if you do not wish to receive email notifications.

Next enable or disable other services that come with Fail2Ban that you want enabled or disabled, such as sshd, proftpd, exim etc.

I save my logs to /var/log/fail2ban.log. If you want to do this set the value of logtarget in /etc/fail2ban/fail2ban.conf

logtarget = /var/log/fail2ban.log
            

Configuring Fail2Ban for Dovecot

Now we need to create new configuration files for Dovecot as this service is not configured out of the box.

vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf
            

Add the following lines

[Definition]
failregex = dovecot: auth-worker\(default\): sql\(.*,\): unknown user
            dovecot: (pop3|imap)-login: Aborted login \(.*\): .*, \[\]
            dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]
            dovecot: auth\(default\): passdb\(.*,\)\: Attempted login with password having illegal chars
            dovecot: (pop3|imap)-login: Disconnected \(auth failed, .*\): .*, \[\]
            dovecot: (pop3|imap)-login: Aborted login: .*, \[\]
ignoreregex =
            

Now open the existing /etc/fail2ban/jail.conf and add to the bottom the following lines

[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/maillog
maxretry = 20
findtime = 1200
bantime  = 1200
            

And change the values of dest and sender in the sendmail command.

And start Fail2Ban using:

service fail2ban start
            

And make sure it is started at boot time

chkconfig fail2ban --level=235 on
            

You should get an email stating "The jail dovecot-pop3imap has been started successfully.".

Running

service fail2ban status
            

should show you

Status
    |- Number of jail:    1
    `- Jail list:        dovecot-pop3imap
            

You can see the attacks getting blocked in /var/log/messages or /var/log/fail2ban.log depending on your value of logtarget in /etc/fail2ban/fail2ban.conf

Links

http://www.fail2ban.org/wiki/index.php/Talk:Dovecot

http://wiki.dovecot.org/HowTo/Fail2Ban