Howto - Block SMTP Auth Failure with Fortigate and Fail2ban

Author
crispy
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/11/05 04:34:04
  • Location: Australia
  • Status: offline
2016/06/27 04:02:08 (permalink)
0

Howto - Block SMTP Auth Failure with Fortigate and Fail2ban

I thought I would share this with the members of this forum in case it comes in handy for others. I created a new filter for fail2ban as well as a new action and scripts to automatically add and remove users trying to exploit users smtp logins. This is how I went about it.
 
On the fortigate I created an Address Group called "SMTP_Blacklist". I then created a firewall policy from the internet to the Fortimail with the source of SMTP_Blacklist and the action of Deny.
 
I also added an admin user for the fail2ban script to login as and restricted it to login from the servers address only. The example I use in the scripts below is called fail2ban. Change this to admin that you create in your own fortigate.
 
I am assuming that you will already have fail2ban installed and configured. You will also require 'expect' installed on the system.
 
I created a new directory /etc/fail2ban/scripts and placed the below 2 files in it.
 
** Make sure you change the IP address 1.2.3.4 in these 2 files to your own fortigates IP address. **
 
/etc/fail2ban/scripts/fortigate-add.sh
--- start ---
#!/usr/bin/expect -f

set force_conservative 0  ;# set to 1 to force conservative mode even if
              ;# script wasn't run conservatively originally
if {$force_conservative} {
    set send_slow {1 .1}
    proc send {ignore arg} {
        sleep .1
        exp_send -s -- $arg
    }
}

set ipaddress [lindex $argv 0]
set timeout -1
log_user 0
spawn ssh fail2ban@1.2.3.4
match_max 100000
expect -exact "fail2ban@1.2.3.4's password: "
send "fail2banpasswd\r"
expect  "\$ "
send -- "config firewall address\r"
expect "(address) \$ "
send -- "edit \"BL_SMTP_$ipaddress\"\r"
expect "\$ "
send -- "set type ipmask\r"
expect "\$ "
send -- "set subnet $ipaddress/32\r"
expect "\$ "
send -- "end\r"
expect "\$ "
send -- "config firewall addrgrp\r"
expect "\$ "
send -- "edit SMTP_Blacklist\r"
expect "\$ "
send -- "append member BL_SMTP_$ipaddress\r"
expect "\$ "
send -- "end\r"
expect "\$ "
send -- "exit\r"
expect eof
--- end ---
 
 
/etc/fail2ban/scripts/fortigate-add.sh
--- Start ---
#!/usr/bin/expect -f

set force_conservative 0  ;# set to 1 to force conservative mode even if
              ;# script wasn't run conservatively originally
if {$force_conservative} {
    set send_slow {1 .1}
    proc send {ignore arg} {
        sleep .1
        exp_send -s -- $arg
    }
}

set ipaddress [lindex $argv 0]
set timeout -1
log_user 0
spawn ssh fail2ban@1.2.3.4
match_max 100000
expect -exact "fail2ban@1.2.3.4's password: "
send "fail2banpasswd\r"
expect  "\$ "
send -- "config firewall addrgrp\r"
expect "\$ "
send -- "edit SMTP_Blacklist\r"
expect "\$ "
send -- "unselect member BL_SMTP_$ipaddress\r"
expect "\$ "
send -- "end\r"
expect "\$ "
send -- "config firewall address\r"
expect "\$ "
send -- "delete \"BL_SMTP_$ipaddress\"\r"
expect "\$ "
send -- "end\r"
expect "\$ "
send -- "exit\r"
expect eof
--- end ---
 
place the following file in the filters directory /etc/fail2ban/filter.d/fortimail-auth.conf
---start---
# Fail2Ban filter for Fortimail authentication failures
#
# 27/June/2016
# Author: Shane Chrisp

[Definition]

failregex = . client_name=".*\[<HOST>*\].* classifier=\"SMTP Auth Failure\"

ignoreregex =
---end---
 
and finally place this file in the actions dir
/etc/fail2ban/action.d/fortigate.conf
---start---
# Fail2Ban configuration file
#
# Author: Shane Chrisp

[Definition]

actionstart =

actionstop =

actioncheck =

actionban = /etc/fail2ban/scripts/fortigate-add.sh <ip>

actionunban = /etc/fail2ban/scripts/fortigate-del.sh <ip>
---end---
 
Lastly you need to add something to your fail2ban config.
I have this at the end of my /etc/fail2ban/jail.local file. This will find smtp auth attempts of more than 6 failures in the last hour and will block them for an hour. You can adjust these values to suit your own requirements.
 
[fortimail-auth]
enabled  = true
filter   = fortimail-auth
action   = fortigate
logpath  = /var/log/mail.log
bantime  = 3600
findtime = 3600
maxretry = 6


 
Now you should be able to restart fail2ban and rest a little more easy that your mail users passwords wont be so easily cracked.
 
cwispy
#1
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Howto - Block SMTP Auth Failure with Fortigate and Fail2ban 2016/06/27 06:59:53 (permalink)
0
A simpler approach is to use a IPS signature for SMTP. You can block and quarantine src_ipaddress.
 
http://socpuppet.blogspot.com/2014/07/example-fo-smpauth-protection-fortigate.html
 
Ken
 

PCNSE 
NSE 
StrongSwan  
#2
crispy
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/11/05 04:34:04
  • Location: Australia
  • Status: offline
Re: Howto - Block SMTP Auth Failure with Fortigate and Fail2ban 2016/06/27 07:13:56 (permalink)
0
The only problem with the IPS approach is when dealing with SMTP Auth via SMTPS. This solution works without having to do any deep packet inspection etc. Really this type of protection should be built into the Fortimail appliances though. Im sure that many of you agree.
#3
emnoc
Expert Member
  • Total Posts : 5397
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Howto - Block SMTP Auth Failure with Fortigate and Fail2ban 2016/06/27 07:19:09 (permalink)
0
So for SMTPs you just need to pull off the encryption and the same  IPS rule can be used but yes I agree FML should have the built in.

PCNSE 
NSE 
StrongSwan  
#4
Carl Windsor_FTNT
Fortinet
  • Total Posts : 249
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: Howto - Block SMTP Auth Failure with Fortigate and Fail2ban 2016/06/27 09:23:49 (permalink)
5 (1)
crispyReally this type of protection should be built into the Fortimail appliances though

 
I am not sure if you noticed the new addition in 5.3, SMTP authentication failure tracking.  To configure:
 
config system security authserver
      set status [enable, disable, monitor-only]
end
 
It uses a variety of adaptive factors, similar to our sender reputation feature to detect and block brute forcing (not just consecutive failures) and temporarily locks out (tarpitting) the user.
 
 

Dr. Carl Windsor
Field Chief Technology Officer
Fortinet
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5