Mitigating brute force attacks against Qmail

Mitigating brute force attacks

Brute force authentication attacks are a common security threat for operators of just about any service. For operators of mail servers, the compromise of just a single email accont can result in large volumes of spam being sent through their mail servers and resulting in a previously good reputation mail server being added to email routing blacklists and server reputation watchlists.

Finding effective but useable security controls can be difficult, but two of the most effective controls for mitigating brute force attacks are:

  • A sensible and enforced password policy for user and service accounts, which reduces the likelihood of brute force attacks being successful within a set timeframe; and
  • Implementing some form of (re)active firewall control to block attackers.

Fail2ban

This article covers the latter, using the Fail2ban (http://http://www.fail2ban.org/) utility, which works in conjunction with the system firewall (iptables).

Install fail2ban as most appropriate for your system. (On Centos, type yum install fail2ban).

Once installed, using you favourite text editor, create 3 new files as follows:

/etc/fail2ban/jail.local:

[qmail-smtp-auth]
enabled    =    true
filter    =    qmail-smtp-auth
action    =    iptables[name=QMAIL-SMTP, port=smtp, protocol=tcp]
logpath    =    /var/log/maillog
maxretry    =    3
bantime  = 86400
findtime = 3600

[qmail-submission-auth]
enabled =       true
filter  =       qmail-submission-auth
action  =       iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath =       /var/log/maillog
maxretry        =       3
bantime  = 86400
findtime = 3600

/etc/fail2ban/filter.d/qmail-smtp-auth.conf:

[Definition]
failregex    =    vchkpw-smtp: vpopmail user not found .*:<HOST>
ignoreregex    =

/etc/fail2ban/filter.d/qmail-submission-auth.conf:

[Definition]
failregex    =    vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex    =

 

Once done, restart the fail2ban service (service fail2ban restart for Centos users) and you should now be up and running.

In short, based on this configuration the fail2ban service will watch the /var/log/maillog file for failed authentication events from vpopmail on the qmail smtp and submission services. If an attacker makes 3 incorrect gueses within an hour, fail2ban blocks their IP address for 24 hours by adding a DROP rule to specially created iptables chains.

Another excellent and far more detailed guide can be found on the QmailToaster wiki (http://wiki.qmailtoaster.com/index.php/Fail2Ban).

Leave a Reply