[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    [Fail2ban-users] Jail and filter for sslyze scans
From:       "Ken Johnson" <kjohnson () eclypse ! org>
Date:       2015-04-29 21:34:30
Message-ID: 802FEB111501430F8B3AF5588707FB0B () LENOVO9D1B1498
[Download RAW message or body]


Scanning for a research project by sba-research.org had negative impact on
our server recently, twice.  From our point of view, it looked like a
Denial-of-Service attack.  One of their senior researchers told me they use
a tool call sslyze.  While I have added their IP address
(scan.sba-research.org) to the drop list on the server and on our edge
router, that will not stop others using the same tool, nor sba-research if
they perform IP renumbering.  Hence, this jail and filter, which might be
useful if you use uw-imap.  Obviously you could adapt this for other
POP/IMAP servers.

As always, your mileage may differ.  Read and consider carefully all label
instructions.

Regards,

Ken

########################################
Jail
########################################
##
## modified from uw-imap jail
## implemented after sslyze scans from sba-research.org
## caused problems for us.  Note the largish maxretry
## and short findtime -- sba-research sent 100's of
## connection attempts in 10 seconds.
##


[sslyze]

enabled   = true
port      = pop3,pop3s,imap,imaps
filter    = sslyze
banaction = iptables-multiport[name=UW-IMAP, port="pop3,pop3s,imap,imaps",
protocol=tcp]
logpath   = /var/log/mail.log
maxretry  = 20
findtime  = 10
bantime   = 36000

#########################################
Filter
#########################################
## Lifted from https://github.com/fail2ban/fail2ban/issues/18,
## Modified to protect against 'research' with sslyze.
## Tested by KLJ with fail2ban-regex against local log files
## fail2ban-regex sslyze.log sslyze.conf
##
# Fail2Ban configuration file
#
# Props: Amir Caspi
#
# $Revision: 1 $

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = /etc/fail2ban/filter.d/common.conf

[Definition]

_daemon = (?:ipop3d|imapd)

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>"
can
#          be used for standard IP/hostname matching and is only an alias
for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

failregex = ^%(__prefix_line)sAutologout user=\?\?\? host=.*\[<HOST>\]\s*$
            ^%(__prefix_line)sLogout user=\?\?\? host=.*\[<HOST>\]\s*$
            ^%(__prefix_line)sMissing command before authentication
host=.*\[<HOST>\]\s*$
            ^%(__prefix_line)sNull command before authentication
host=.*\[<HOST>\]\s*$
            ^%(__prefix_line)s(imaps|pop3s) SSL service init from <HOST>\s*$
            ^%(__prefix_line)sUnable to accept SSL connection,
host=.*\[<HOST>\]\s*$
            ^%(__prefix_line)sUnexpected client disconnect, while reading
line user=\?\?\? host=.*\[<HOST>\]\s*$


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]