{"id":774,"date":"2011-08-18T16:46:40","date_gmt":"2011-08-18T14:46:40","guid":{"rendered":"http:\/\/robert.kolatzek.org\/wblog\/?p=774"},"modified":"2011-08-18T16:46:40","modified_gmt":"2011-08-18T14:46:40","slug":"mehr-server-schutz-durch-fail2ban","status":"publish","type":"post","link":"https:\/\/blog.kolatzek.org\/wblog\/774\/mehr-server-schutz-durch-fail2ban","title":{"rendered":"Mehr Server-Schutz durch fail2ban"},"content":{"rendered":"<p>Seit einiger Zeit verfolgen mich logcheck mails mit Zeilen wie dieser:<\/p>\n<pre style=\"overflow: auto\">Jul 25 21:59:06 hostname saslauthd[3115]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=<\/pre>\n<p>oder dieser:<\/p>\n<pre style=\"overflow: auto\">Jul 25 21:34:16 hostname postfix\/smtpd[13745]: warning: SASL authentication failure: All-whitespace username.\n<\/pre>\n<p>W\u00e4hrend die zweite auf eine ganz bestimmte Kombination aus einem Postfix-Konfigurations-Problem mit bestimmten SMTP-Clients hinweist, bedeutet die erste, dass jemand mit falschen Login-Daten versucht, meinen Server als Spam-Bot zu nutzen.<!--more--><\/p>\n<p>Obwohl DOS-BruteForce-Attacken auf SSH mit anderen Mitteln wie denyhosts ausgesperrt werden, ist das SMTP-Login immer noch eine M\u00f6glichkeit, Login-Daten auf G\u00fcltigkeit zu testen. Root darf sich f\u00fcr SMTP nicht anmelden&#8230; Aber die anderen Benutzer. Hat man die Login-Daten, kann man ja versuchen, sicher per SSH einzuloggen und das System als lokaler Benutzer zu kompromittieren (exploits in binaries &amp; co). Notfalls kann man ja den Server immer noch als Bot f\u00fcr ein Spam-Server-Netz oder als Virenschleuder unter SERVER\/~benutzer\/virus.exe missbrauchen und sich so den Zugang zu anderen Servern bahnen.<\/p>\n<p>Damit auch diese Art von Brute-Force unterbunden wird, sollte man das Log-Monitoring-Programm &#8222;<a href=\"http:\/\/www.fail2ban.org\">fail2ban<\/a>&#8220; einsetzen. Es \u00fcberwacht die in der \/etc\/fail2ban\/jail.conf Datei vorgegebene Log-Dateien und wendet auf diese entsprechende Regex-Filter aus \/etc\/fail2ban\/filter.d\/ an. F\u00fcr Postfix sollte es in dem uns vorliegenden Fall wie folgt aussehen aussehen:<\/p>\n<p>Der Filter (\/etc\/fail2ban\/filter.d\/postfix.conf)<\/p>\n<pre style=\"overflow: auto\">\n[Definition]\nfailregex = reject: RCPT from (.*)[]: 550 5.1.1\nreject: RCPT from (.*)[]: 450 4.7.1\nreject: RCPT from (.*)[]: 554 5.7.1\nwarning: unknown[]: SASL LOGIN authentication failed: authentication failure\nignoreregex =\n<\/pre>\n<p>Die Konfiguration (\/etc\/fail2ban\/jail.conf) sollte entsprechend angepasst werden. F\u00fcr mich ergeben diese Werte einen Sinn:<\/p>\n<pre style=\"overflow: auto\">\n[postfix]\nenabled  = true\nport     = smtp,ssmtp\nfilter   = postfix\nlogpath  = \/var\/log\/mail.log\nbantime  = 6000\nmaxretry = 5\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Seit einiger Zeit verfolgen mich logcheck mails mit Zeilen wie dieser: Jul 25 21:59:06 hostname saslauthd[3115]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= oder dieser: Jul 25 21:34:16 hostname postfix\/smtpd[13745]: warning: SASL authentication failure: All-whitespace username. W\u00e4hrend die zweite auf eine ganz bestimmte Kombination aus einem Postfix-Konfigurations-Problem mit bestimmten SMTP-Clients hinweist, bedeutet die [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[8],"tags":[20,65,66,85,96,99,106],"class_list":["post-774","post","type-post","status-publish","format-standard","hentry","category-software","tag-bruteforce","tag-linux","tag-linux-vserver","tag-postfix","tag-server","tag-smtp","tag-ssh","entry"],"_links":{"self":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts\/774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/comments?post=774"}],"version-history":[{"count":0,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/posts\/774\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/media?parent=774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/categories?post=774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.kolatzek.org\/wblog\/wp-json\/wp\/v2\/tags?post=774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}