Just finished updating manually fail2ban from version 0.8.6 to 0.8.10 on one of my server, working like a charm but here's a few things where I bumped into.
Here's the linux version I'm using : Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze3) (email@example.com) (gcc version 4.3.5 (Debian 4.3.5-4)
1. There is no uninstall script. Having a script for that or an option like python setup.py uninstall would be quite welcome. Or just giving the information on what to delete in the README.md file would be enough.
2. I'm missing the debian init.d script, it should be added in the main
branch on github. Right now it's the only thing I'm missing, where can I
find one ?
3. By default, the jail.conf file use the action sendmail-whois, however sendmail-whois-lines is much more useful, having this one by default would be better for everyone. You do need the logpath variable in the action parameters and the logpath (again) in the jail configuration like that :
sendmail-whois-lines[name=dovecot, firstname.lastname@example.org, email@example.com, logpath=/var/log/dovecot.log]
logpath = /var/log/dovecot.log
It is redundant, having just only one logpath would be better if it's possible.
4. Missing a regex in filter/postfix.conf
I added :
reject: VRFY from (.*)\[<HOST>\]: 550 (.*): Recipient address rejected: User unknown in local recipient table
Example line :
Aug 10 10:55:38 name postfix/smtpd: NOQUEUE: reject: VRFY from 1-2-3-3.isp..company.net[18.104.22.168]: 550 5.1.1 <username>: Recipient address rejected: User unknown in local recipient table; to=<username> proto=SMTP
You can brute-force postfix to find valid email username. To generate this line is quite easy, just telnet yourserver 25 and then type VRFY username
5. Missing a regex in filter/named-refused.conf
I added :
%(__line_prefix)sclient <HOST>#\S+: zone transfer .* denied
Example line :
11-Aug-2013 03:36:11.372 error: client 22.214.171.124#52115: zone transfer 'domain.com/AXFR/IN' denied
You can generate this line with the perl script fierce.pl which is use to brute-force a domain name server to reveal it's A, CNAME, MX records.
6. The regex in filter/apache-nohome.conf doesn't work, I had to modify it from :
failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
failregex = [client <HOST>] File does not exist:
7. The regex in filter/apache-noauth.conf doesn't work, I had to modify it from :
failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
failregex = [client <HOST>] user .* authentication failure
[client <HOST>] user .* not found
[client <HOST>] user .* password mismatch
8. The regex in filter/dovecot.conf works just fine when there's a line like that :
2013-08-11 03:59:39 imap-login: Info: Disconnected (auth failed, 6 attempts): user=<admin>, method=PLAIN, rip=126.96.36.199, lip=188.8.131.52, TLS
However, to print this line, the attacker needs to disconnect, if he doesn't, he can just continue brute-forcing passwords for thousands of time. The default configuration of dovecot is pretty smart though, it gives you a delay of like 5 seconds between each password try and it raise it up to a max of 15 seconds after a few try (I'm making up the seconds but you get the idea) so you can hardly do a brute-force attack that way. At one try every 15 seconds you only have 5,760 guess per day. But still, it's possible.
So I added this regex to prevent it :
^%(__prefix_line)s.*pam\(.*,<HOST>\): .*Authentication failure
This is an example line :
2013-08-11 03:56:40 auth-worker(default): Info: pam(username,184.108.40.206): pam_authenticate() failed: Authentication failure (password mismatch?)