[Pkg-exim4-users] My addition for Debian (Wheezy) Fail2ban exim jail conf

Ron Leach ronleach at tesco.net
Tue Mar 1 17:26:25 UTC 2016 

List good afternoon,

An Exim4 mail server that I look after started suffering repeated 
incorrect Auth attempts, always from the same IP address and nothing 
to do with our users.  The server runs on Debian oldstable (Wheezy) 
and I looked into fail2ban to see if it could help to block the 
attempts.  Fail2ban uses .conf files per package to protect, and the 
Wheezy fail2ban package comes with a pre-configured exim.conf file, to 
define how fail2ban detects a malicious attack on exim; the file is 
found in /etc/fail2ban/filter.d .  But this pre-configured exim.conf 
does not detect auth rejections (these are logged by Exim4 both in 
/var/log/exim4/mainlog, and in /var/log/exim4/rejectlog).  I added a 
line to detect multiple auth failures, and I was pleased to see that 
fail2ban immediately detected the attacks that were occurring and 
that, since automatically banning that IP address, there have been no 
subsequent repeat attacks showing in the logs.  I thought I'd describe 
the change I made to the standard configuration so that it may help 
others trying to solve similar problems for the first time and, 
because I have one remaining uncertainty, I'd like to end this post 
with a question.

The preconfigured exim.conf in Wheezy's fail2ban contains this stanza 
which defines what fail2ban should treat as an attack:

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: 
Unrouteable address\s*$
             ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by 
local_scan\(\): .{0,256}$

Exim logs incorrect auth attempts as, for example:

authenticator failed for (<some name>) [iii.jjj.kkk.lll]: 535 
Incorrect authentication data  (set_id=<attempted login name>)

Current versions of fail2ban allow multi-line 'failregex' stanzas, and 
the definition in any line of the stanza can be satisfied to count 
towards a trigger for a ban of the offending IP.  So I added a line to 
detect the '535' rejection message in the log.  I don't understand 
regex syntax, and I used an entry from fail2ban's website

http://www.fail2ban.org/wiki/index.php/Exim

while keeping the pre-configured detectors, so that my failregex 
stanza looks like this:

ailregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: 
Unrouteable address\s*$
	    \[<HOST>\]: 535 Incorrect authentication data
             ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by 
local_scan\(\): .{0,256}$


(For anybody else new to the game, wheezy's fail2ban is pre-configured 
to *only* detect SSH attacks and so the exim protection needs to be both
(i) specifically added to fail2ban's jail.conf (because, though there 
is an entry for postfix, there seems to be no pre-configured entry for 
exim), and
(ii) then specifically enabled in jail.conf.)

This seems to have worked.  There are no attacks, any more, from the 
IP address that had been attempting to be authenticated for the 
preceding few days.  But this brings me to my last question.

Though I can see that no attacks have reached exim, and I can see that 
fail2ban has decided to block that specific IP address, is there any 
way that I check that any attacks were attempted and that, I guess, 
iptables blocked the connection attempt?  I didn't find any log file 
under /var/log that seemed to show any inbound attempts.

Ron

More information about the Pkg-exim4-users mailing list