I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendаbility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD
All BFD predefined rules are stored in separate files in
/usr/local/bfd/rules. By the script name you can figure out which service it protects. Each file is the shell script wхich is pretty easy to read and modify for your need.
The problem – attempts to guess user passwords via SMTP Auth are registered by sendmail and SASL authd. Saslauthd reports failed password guess attempt but doesn’t report the offending IP in
/var/log/messages on CentOS:
|
1 |
saslauthd[1989]: do_auth : auth failure: [user=movie] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] |
simply because it’s used by sendmail indirectly. The sendmail on the other hand reports the IP but does not report the authentication attempt in /var/log/maillog :
|
1 |
sendmail[21332]: uBCKg8uW021332: [91.200.12.101] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA |
What we will do – we will modify existing sendmail rule script to process these log entries as failed SMTP authentication attempts.
Existing sendmail rule file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# failed logins from a single address before ban # uncomment to override conf.bfd trig value TRIG="3" # file must exist for rule to be active REQ="/etc/init.d/sendmail" if [ -f "$REQ" ]; then LP="/var/log/maillog" TLOG_TF="sendmail" # Max logs to process at one time for this rule MLOG=1500 ## SENDMAIL ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iv "IP name lookup" | grep -iE "sendmail|check_rcpt|relaying denied" | sed -e 's/::ffff://' | awk '{print$10}' | tr -d '[],' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tail -n $MLOG | sort -n` fi |
The most interesting part is the last part of ARG_VAL line between first | and ` at the end. This part is used to extract offending IP addresses from the configured log file. It’s easy to verify using following command:
|
1 |
tail -500 /var/log/maillog | grep -iv "IP name lookup" | grep -iE "sendmail|check_rcpt|relaying denied" | sed -e 's/::ffff://' | awk '{print$10}' | tr -d '[],' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' |
After running this command you should be able to see the list of IP addresses of brute force attempts to connect to sendmail. Using minimal modification it is possible to match SMTP authentication brute force attempts log lines with something like this:
|
1 |
tail /var/log/maillog | grep -iv "IP name lookup" | grep -iE "did not issue MAIL" | sed -e 's/::ffff://' | awk '{print$8}' | tr -d '[],' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tail -n $MLOG | sort -n |
To use this line I will create separate rule script with the name sasl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# failed logins from a single address before ban # this here attempt to block specifically SMTP auth brute force attacks # uncomment to override conf.bfd trig value TRIG="2" # file must exist for rule to be active REQ="/etc/init.d/saslauthd" if [ -f "$REQ" ]; then LP="/var/log/maillog" TLOG_TF="sendmail" # Max logs to process at one time for this rule MLOG=1500 ## SENDMAIL ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iv "IP name lookup" | grep -iE "did not issue MAIL" | sed -e 's/::ffff://' | awk '{print$8}' | tr -d '[],' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tail -n $MLOG | sort -n` fi |
Another one custom rule file will be for SSHD brute force attempts that will match following lines from /var/log/secure :
|
1 |
Dec 13 02:08:27 ns369 sshd[22678]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.45.72.234 user=admin |
The idea is the same – customizing ARG_VAL sting matching part until it will be able to filter out list of offenders IPs.
Here is the result rule file sshd2:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# failed logins from a single address before ban # uncomment to override conf.bfd trig value TRIG="2" # file must exist for rule to be active REQ="/usr/sbin/sshd" if [ -f "$REQ" ]; then LP="$AUTH_LOG_PATH" TLOG_TF="sshd" TMP="/usr/local/bfd/tmp" ## SSHD ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | grep -i 'authentication failure' | sed 's/^.*rhost=\(.*\) user=.*$/\1/'| grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'| sort -n` fi |
Save custome rule scripts in separate files in /usr/local/bfd/rules directory. When running from command line bfd -s you will see if your new custom rules caught any offending IPs.
0 Comments.