Fail2Ban

MailCleaner Support
Added almost 3 years ago

Note : How to activate fail2ban is describe below in this document

Fail2ban principle in MailCleaner

Let s pick exim jail to illustrate the global principle :

An IP will be blocked in that jail if it provoked 10 errors in /var/mailcleaner/log/exim_stage1/rejectlog over the last 3600 seconds (that is to say the last hour). It will then be blacklisted for 86400 seconds (that is to say 24 hours).
If you activated the fail2ban blacklists, when an IP was jailed 3 times (max_count), it will then be blacklisted.

You can easily find those parameters in the main fail2tables MySQL table :

$ mc_mysql -m mc_config

mysql> select * from fail2ban_jail;
+----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+
| id | enabled | name       | maxretry | findtime | bantime | port       | filter            | banaction | logpath                                    | max_count | send_mail | send_mail_bl |
+----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+
|  1 |       1 | mc-webauth |       10 |     3600 |   86400 | 80,443     | mc-webauth-filter | mc-custom | /var/mailcleaner/log/apache/mc_auth.log    |         3 |         0 |            0 |
|  2 |       1 | mc-ssh     |        3 |     3600 |   86400 | 22         | sshd              | mc-custom | /var/log/auth.log                          |         3 |         0 |            0 |
|  3 |       1 | mc-exim    |       10 |     3600 |   86400 | 25,465,587 | mc-exim-filter    | mc-custom | /var/mailcleaner/log/exim_stage1/rejectlog |         3 |         0 |            0 |
+----+---------+------------+----------+----------+---------+------------+-------------------+-----------+--------------------------------------------+-----------+-----------+--------------+
3 rows in set (0.00 sec)

Fail2ban Activation

IMPORTANT WARNING : Please note that the commands and path may vary depending on your system. In case of problem or doubt please open a ticket we will assist you
Note : The replication of Fail2ban ( ban/unban ) will be effective every 5 minutes

If the fail2ban.py command is not found use the complete path to interact with Fail2Ban:

/var/mailcleaner/.pyenv/versions/3.7.7/bin/fail2ban.py

Usage

  • List currently banned IPs on a specific server:

    fail2ban-client status <jail>

  • Show all banned IPs by Fail2ban on all server:

    echo 'SELECT * FROM fail2ban_ips WHERE active=true' |mc_mysql -s mc_config -t

  • Unban an IP in MailCleaner:

    fail2ban.py unban -i <ip> -j <jail> --f2b-call

Configuration

Note : By default all jails are disabled
Note : All commands must be run on all cluster's nodes
  • Enable a jail:

    fail2ban.py jail enable -j <jail>

  • Enable all jails:

    fail2ban.py general enable

  • Disable all jails:

    fail2ban.py general disable

  • Change value of findtime, bantime or maxretry

    fail2ban.py jail change -j <jail> --option <option> -v <value>

Permant Blacklist

Blacklist in Fail2ban's integration is a specific jail dynamically created for all jails.

After the specified amount of ban (by default: 3) an ip that would be banned again will be moved to this permant jail (<jail>-bl).

  • Disable blacklist for a specific jail:

    fail2ban.py blacklist disable -j <jail>

  • Disable blacklist for all jails

    fail2ban.py general disable-bl

  • Enable blacklist for all jails

    fail2ban.py general enable-bl -v
    value = Max number of ban before blacklist [default: 3]

  • Manually blacklist an IP

    fail2ban.py blacklist add -j <jail> -i <ip>

  • To unban an IP that is currently blacklisted

    fail2ban.py blacklist remove -j <jail> -i <ip>

Whitelist

If you got specific needs on certain IP that shouldn't be banned at all by a specific jail you can configure it using the following commands

Add an IP to the whitelist

fail2ban.py whitelist add -j <jail> -i <ip>

Remove a whitelisted IP (This command needs to be ran on all server)

fail2ban.py whitelist remove -j <jail> -i <ip>

Advanced User

Note : The following section should only be used by user having knowledge of Fail2Ban and is therefore not supported

Create custom jail

In order to create a custom jail in MailCleaner,
you will need to add a specific DB's entry on the master server

echo "INSERT INTO fail2ban_jail (enabled, name, maxretry, findtime, bantime, port, filter, banaction, logpath, max_count) VALUES (<enabled>, '<name>', <maxretry>, <findtime> , <bantime>, '<port>', '<filter>', '<banaction>', '<logpath>', <max_count>);" |mc_mysql -m mc_config

Value Type
enabled TinyINT (0 or 1)
name, filter, banaction, logpath STRING
port STRING (delimiter ',' )
maxretry, findtime, bantime INT
max_count INT (disabled = 0)

Note: For the banaction please add mc-custom to fully integrate your jail in MailCleaner

Start / Restart Fail2Ban

/usr/mailcleaner/etc/init.d/fail2ban start | stop | restart 

Please be aware that any restart of Fail2Ban will purge the Fail2Ban's jails, meaning that it will start with an empty jail each time.
This doesn't concern the blacklist jails