From 5852bac43a98d6b41124605212525aa1225a0230 Mon Sep 17 00:00:00 2001 From: anoma Date: Mon, 6 Jul 2015 08:27:04 +0100 Subject: [PATCH 1/3] Revert to defaults FAIL2BAN findtime and maxretry The reverts the remaining FAIL2BAN settings to default: findtime 600 and maxretry 3. As jail settings override default settings this was hardly being used anyway so it is better to explicitly set it per jail as and when required. --- conf/fail2ban/jail.local | 6 ------ 1 file changed, 6 deletions(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 48a30fa9..a338e07b 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -1,11 +1,5 @@ # Fail2Ban configuration file for Mail-in-a-Box -[DEFAULT] - -# This should ban dumb brute-force attacks, not oblivious users. -findtime = 30 -maxretry = 20 - # JAILS [ssh-ddos] From 8de060ab4579bd97046317b8a2c720eb76677a2a Mon Sep 17 00:00:00 2001 From: anoma Date: Mon, 6 Jul 2015 08:34:26 +0100 Subject: [PATCH 2/3] Ultra safe dovecot findtime and maxretry settings Explicitly set the existing extremely safe timings and counts for the dovecot jail rather than change the global [DEFAULT] and inherit it for this one jail. These settings are far too safe so a future PR will increase security here. --- conf/fail2ban/jail.local | 2 ++ 1 file changed, 2 insertions(+) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index a338e07b..9ecb2095 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -11,3 +11,5 @@ enabled = true [dovecot] enabled = true filter = dovecotimap +findtime = 30 +maxretry = 20 From bb3ccdca6cfa549fc0128725e867865f7e7f2a8e Mon Sep 17 00:00:00 2001 From: anoma Date: Mon, 6 Jul 2015 08:53:14 +0100 Subject: [PATCH 3/3] Activate FAIL2BAN recidive jail Recidive can be thought of as FAIL2BAN checking itself. This setup will monitor the FAIL2BAN log and if 10 bans are seen within one day activate a week long ban and email the mail in a box admin that it has been applied . These bans survive FAIL2BAN service restarts so are much stronger which obviously means we need to be careful with them. Our current settings are relatively safe and definitely not easy to trigger by mistake e.g to activate a recidive IP jail by failed SSH logins a user would have to fail logging into SSH 6 times in 10 minutes, get banned, wait for the ban to expire and then repeat this process 9 further times within a single day. The default maxretry of 5 is much saner but that can be applied once users are happy with this jail. I have been running a stronger version of this for months and it does a very good job of ejecting persistent abusers. --- conf/fail2ban/jail.local | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 9ecb2095..f995f55a 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -13,3 +13,7 @@ enabled = true filter = dovecotimap findtime = 30 maxretry = 20 + +[recidive] +enabled = true +maxretry = 10