Using fail2ban to block hackers
With the plethora of hackers out there, it is imperative that sites use many different methods to thwart hackers. There are tons of methods that hackers use to try and gain access to your website. Most all of these revolve around compromising your site to one degree or another. Most are automated attacks using software like metasploit or other similar types of unattend hacking methods. Some of their objectives are: (in no order of significance)
- pass mail unrestricted
- install a rootkit to gain unrestricted access to your system
- add hidden backlinks to your site
- add botnet software to use your site as a zombie in other attacks
One of the first steps is to find a vulnerability. This can be through obsolete software, plugins, modules or CMS vulnerabilities. These are all items that need to be addressed. Obviously this topic is way t0o large to cover to any degree of thoroughness, so I want this article to focus on the first-line defense for any system: gaining access via weak passwords to smtp/pop accounts. Future articles we will delve into other mechanisms and prevention.
Most hackers try and find a method of hacking into accounts via un-obstructed and well known ports like mail and ftp to conduct brute force attacks. (your website logins should also have a way to throttle invalid login attempts, but again outside the focus of this article) If these ports (mail,ftp,etc) are left wide open a dedicated hacker given enough time and resources will get in even with the best of passwords. The best defense against brute force attacks is to have a method that will block the offenders IP address at the system level for a given timeframe.
One of my favorite tools for this is fail2ban. (See their homepage: http://www.fail2ban.org/wiki/index.php/Main_Page)
Out of the box it works pretty well, but depending on your OS, might need tweaking. And I can not emphasize this enough: “TEST IT, TEST IT, TEST IT“. I have found that on various releases of CentOS, Ubuntu, postfix, smtp, etc that the messages that are recorded in the logs differ. And that can cause you to have a false sense of security as fail2ban uses regular expressions to parse the logs looking for specific authentication failures. And as we all know, regex (regular expressions) are unforgiving in their syntax.
Basic explanation on how fail2ban works
Fail2ban runs as a daemon on your system constantly parsing various log files and passing them through various regex filters. The basic configuration will allow a handful of failures before tripping the action statement within the “findtime” that will insert iptables block rules to block the offender. The bantime of the offender is very short, usually 5 to 15 minutes. The rationale is that the added delay will cause many hackers to abandon the brute force attack. Personally I like a lengthier bantime and a lengthier findtime. Any hacker worth his salt know that fail2ban has a default of 3 tries every 5 minutes. So they will send 1 request every 2 minutes to get around this especially if they are doing a dictionary attack.
Password brute forcing
This is probably a good time to discuss password length vs brute force time. I hear so many people say that their password is short or all characters and no numerics or symbols. To give you an idea on how fast this can be hacked, take a look at this tool brute force calculator. A five character password, using generic SHA-1 only using alpha characters can be cracked in 2 seconds! Check out the following table.
|password length||Encryption||character set||Time|
|5||SHA-1||lower case alpha||2 seconds|
|5||SHA-1||mixalpha||1 min 14 seconds|
|5||SHA-1||mixalpha numeric||2 min 59 seconds|
|5||SHA-1||mixalpha numeric symbols||8 min 16 seconds|
As you can see from the preceding table, a short password can be cracked very quickly.
In the next table, simply increasing the password length to 10 characters has drastic results in the number of permutations and therefore much much longer to crack. But don’t let those big numbers give you a false sense of security and let yourself be lulled into ONLY using a strong password policy. It is best to stop those attackers before they have thousands of opportunities to get lucky.
|password length||Encryption||character set||Time|
|10||SHA-1||lowere case alpha||328 days 8 hours|
|10||SHA-1||mix alpha||902 years 193 days|
|10||SHA-1||mix alpha numeric||5223 years 235 days|
|10||SHA-1||mix alpha numeric sybols||39,891 years 277 days|
As I was mentioning, fail2ban uses a config file called “jail.local”. (debian & ubuntu – /etc/fail2ban/jail.local) It is broken up by the various types of service like ftp, smtp, etc. And each of those sections has the following rules:
- enabled – turns that section on or off
- port – type of ports (ftp, smtp, pop, imap, etc)
- filter – the selector of which filter to apply from filter.d directory
- action – the selector on what ports to block from action.d directory
- logpath – the log file to scan
- findtime – how long bad logins will be remembered
- bantime – how long a ban should be
- maxretry – how many failures before a ban.
One tactic that hackers use is that they will try to hit all the various email ports in an effort to not trip any sensors that they are hacking. This can be the following ports:25, 465, 587, 110, 995, 143, 993
An example would be if some IP address is trying to get in on SMTP and has multiple failures, to block all SMTP, SSMTP, IMAP, Pop3, etc.
Here is an example rule:
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
action = iptables-multiport[name=smtp, port="25,465,587,110,995,143,993", protocol=tcp]
logpath = /var/log/mail.log
bantime = 600
findtime = 600
Again I would suggest that you up the bantime and the findtime to a much larger value.