Kopano Fail2ban Filter

Protect Kopano by Fail2ban

0
(0)

Hardening Kopano against attacks with Fail2ban

This howto describes how to install and configure Fail2ban for Kopano Groupware on Ubuntu. Fail2ban provides effective protection against brute-force attacks by filtering out failed attempts of authentication from Syslog and Apache protocol in order to block the host for a certain period of time using a kernel firewall.

Install Fail2ban on Kopano Server

The Fail2ban package will be installed on Ubuntu as root as follows. Fail2ban is developed on Python, which is why the required libraries are reloaded.

$ apt-get update
$ apt-get install fail2ban -y

After installation, Fail2ban runs and is enabled in systemd for autostart.

$ systemctl start fail2ban
$ systemctl enable fail2ban

Create Fail2ban Filter for Kopano

Build Fail2ban filter for Kopano, we create the file kopano-webapp-auth.conf

$ vi /etc/fail2ban/filter.d/kopano-webapp-auth.conf

Insert the content into the filter file with the following lines:

# Fail2Ban kopano-webbapp-auth filter
# /etc/fail2ban/filter.d/kopano-webapp-auth.conf

[INCLUDES]
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI

ignoreregex =

Enable the Kopano Filter

Activate the Fail2ban filter for Kopano by creating the configuration file jail.local.

$ vi /etc/fail2ban/jail.local

And insert the following content:

[sshd]
port = ssh
logpath = %(sshd_log)s

[kopano-webapp]
enabled = true
port = https
filter = kopano-webapp-auth
logpath = %(apache_error_log)s

[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s

Here error.log is read out with the variable %(apache_error_log), /var/log/apache2/error.log

Start Fail2ban with Kopano Filter

Restart Fail2ban to enable the changes.

$ systemctl restart fail2ban

Check Fail2ban Client Status

The status of Fail2ban can be checked as follows.

$ fail2ban-client status
Status
|- Number of jail: 3
'- Jail list: apache-auth, kopano-webapp, sshd
 
root@kopano:~# fail2ban-client status kopano-webapp
Status for the jail: kopano-webapp
| Filters
|  |- Currently failed: 0
|  |- Total failed: 7
|  '- File list: /var/log/apache2/mattermost-error.log /var/log/apache2/error.log
'- Actions
   |- Currently banned: 4
   |- Total banned: 52
   '- Banned IP list: 10.10.10.101 172.17.88.91 172.31.16.3 10.32.57.98

The firewall provides information about the status of the hosts currently blocked by Fail2ban, with an iptables query:

$ iptables -vnL | egrep "f2b-kopano-webapp|apache-auth|sshd"

Fail2ban intrusion prevention software framework

Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

It includes support for both IPv4 and IPv6. Optionally longer bans can be custom-configured for „recidivist“ abusers that keep coming back. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not „lock out“ any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

Wie hilfreich war dieser Beitrag?

Klicke auf die Sterne um zu bewerten!

Durchschnittliche Bewertung 0 / 5. Anzahl Bewertungen: 0

Bisher keine Bewertungen! Sei der Erste, der diesen Beitrag bewertet.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert