Hardening Kopano against attacks with Fail2ban
This howto describes how to install and configure Fail2ban for Kopano Groupware on Ubuntu. Fail2ban provides effective protection against brute-force attacks by filtering out failed attempts of authentication from Syslog and Apache protocol in order to block the host for a certain period of time using a kernel firewall.
Install Fail2ban on Kopano Server
The Fail2ban package will be installed on Ubuntu as root as follows. Fail2ban is developed on Python, which is why the required libraries are reloaded.
$ apt-get update $ apt-get install fail2ban -y
After installation, Fail2ban runs and is enabled in systemd for autostart.
$ systemctl start fail2ban $ systemctl enable fail2ban
Create Fail2ban Filter for Kopano
Build Fail2ban filter for Kopano, we create the file kopano-webapp-auth.conf
$ vi /etc/fail2ban/filter.d/kopano-webapp-auth.conf
Insert the content into the filter file with the following lines:
# Fail2Ban kopano-webbapp-auth filter # /etc/fail2ban/filter.d/kopano-webapp-auth.conf [INCLUDES] before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI ignoreregex =
Enable the Kopano Filter
Activate the Fail2ban filter for Kopano by creating the configuration file jail.local.
$ vi /etc/fail2ban/jail.local
And insert the following content:
[sshd] port = ssh logpath = %(sshd_log)s [kopano-webapp] enabled = true port = https filter = kopano-webapp-auth logpath = %(apache_error_log)s [apache-auth] enabled = true port = http,https logpath = %(apache_error_log)s
Here error.log is read out with the variable %(apache_error_log), /var/log/apache2/error.log
Start Fail2ban with Kopano Filter
Restart Fail2ban to enable the changes.
$ systemctl restart fail2ban
Check Fail2ban Client Status
The status of Fail2ban can be checked as follows.
$ fail2ban-client status Status |- Number of jail: 3 '- Jail list: apache-auth, kopano-webapp, sshd root@kopano:~# fail2ban-client status kopano-webapp Status for the jail: kopano-webapp | Filters | |- Currently failed: 0 | |- Total failed: 7 | '- File list: /var/log/apache2/mattermost-error.log /var/log/apache2/error.log '- Actions |- Currently banned: 4 |- Total banned: 52 '- Banned IP list: 10.10.10.101 172.17.88.91 172.31.16.3 10.32.57.98
The firewall provides information about the status of the hosts currently blocked by Fail2ban, with an iptables query:
$ iptables -vnL | egrep "f2b-kopano-webapp|apache-auth|sshd"
Fail2ban intrusion prevention software framework
Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.
Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
It includes support for both IPv4 and IPv6. Optionally longer bans can be custom-configured for “recidivist” abusers that keep coming back. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not “lock out” any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.