Fail2Ban: Protecting your E-Mail servers

February 28, 2024, 9:04 am blog-header-image

The universal use of e-mail communications means that malicious actors have a plethora of systems and services to direct their attacks to. Both at the server level and the client side.

E-mail was originally an open protocol and to a large extend it still is. A significant portion of messages are still transferred in plain text. While improvements have been made there is still a lot to be done. An environment like this is a panacea for the attacker. The system can be compromised on various levels and with countless methods.

We attempt here to use Faile2Ban in protecting the e-mail infrastructure from the most basic elements the servers (physical of virtual) to the software services providing the actual message exchange. Fail2Ban cannot protect from all possible intrusions (ex. SPAM) but it should be viewed as one of the basic elements in a a multilayered security system.

What is fail2ban?

Fail2ban is an intrusion detection and prevention system.

"Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper. "

"Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them.[4] Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator." Wikipedia

Fail2Ban functions by monitoring the messages that get recorded into the log files, usually located in the /var/log directory for most Linux like systems. It uses these messages to detect anomalies and brute force efforts to breach the security and operation of the system. The detection mechanism, called filters, is definable by the administrator with many filters already defined in the standard package. If a filter is triggered then an action is invoked. The actions, called jails, are also definable by the administrator. Jails usually invoke the local system firewall to deny access to the intruder.

What do we need to protect?

Most email related servers (SMTP, IMAP, POP3, Webmail) are located directly on the Internet or in large enterprise installations outside of the protected network perimeter in the demilitarized zone (DMZ) and are therefore exposed to all sorts of malicious activity from brute force attacks to denial of service.

  1. All services active on the email server accessible from the Internet must be protected. Here is a list related to email:

    Service or server Common TCP ports
    SMTP 25, 587
    IMAP 143, 993
    POP3 110, 995
    WebMail 80, 443

  2. In addition to these services the email system may use other service to support its operation. Here is a possible list:

    1. Databases (ex. MySQL/MariaDB)
    2. Directory servers/databases (ex. LDAP/OpenLDAP)
    3. SPAM/malicious content scanners or a suite of tools for spam, virus detection and prevention (ex. ClamAV, SpamAssasin, Amavis)

Usually all these services make use of TCP ports to communicate with other services. Since these services should only be accessible by the email system it is best practice to block them entirely from outside access. On how this happens depends on the network infrastructure involved.

  1. It is also customary to have the SSHD service operating on the email system for remote access with the ssh command or a tool that makes use of the ssh command (ex. putty). This is particularly important in a hosting environment where the hosted VPS exists outside of the user's local area network.

Protecting the server

One of the first and most important tasks in securing the email system is to protect the server. Securing the server (either physical or virtual) should be part of the security system and strategy employed for the whole infrastructure. If the e-mail system is hosted on a VPS service provider then a lot of security protections can (or are already employed) be enabled at the service provider network level. In any case any security system must be multi-level. Here we use Fail2Ban at the server level to protect the e-mail server. If the e-mail infrastructure uses multiple servers then the sam approach applies to all systems.

sshd

SSHD (the ssh daemon) is one of the most targeted services. Most of the attacks are brute force attacks by automated scripts or bots.

Protecting the e-mail services

  1. Postfix
    1. Dovecot
    2. DBs, web servers, LDAP etc depending on how the email system is configured.
    3. Roundcube Webmail (HTTPD server)

Copyright @ 2024 cymail.eu ltd.

Next Post

Some Text Widget

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna.

Bootstrap Theme for Grav