Howto - Block SMTP Auth Failure with Fortigate and Fail2ban
I thought I would share this with the members of this forum in case it comes in handy for others. I created a new filter for fail2ban as well as a new action and scripts to automatically add and remove users trying to exploit users smtp logins. This is how I went about it.
On the fortigate I created an Address Group called "SMTP_Blacklist". I then created a firewall policy from the internet to the Fortimail with the source of SMTP_Blacklist and the action of Deny.
I also added an admin user for the fail2ban script to login as and restricted it to login from the servers address only. The example I use in the scripts below is called fail2ban. Change this to admin that you create in your own fortigate.
I am assuming that you will already have fail2ban installed and configured. You will also require 'expect' installed on the system.
I created a new directory /etc/fail2ban/scripts and placed the below 2 files in it.
** Make sure you change the IP address 1.2.3.4 in these 2 files to your own fortigates IP address. **
/etc/fail2ban/scripts/fortigate-add.sh
--- start ---
#!/usr/bin/expect -f set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect "\$ " send -- "config firewall address\r" expect "(address) \$ " send -- "edit \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "set type ipmask\r" expect "\$ " send -- "set subnet $ipaddress/32\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "append member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---
/etc/fail2ban/scripts/fortigate-add.sh
--- Start ---
#!/usr/bin/expect -f set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "unselect member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall address\r" expect "\$ " send -- "delete \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---
place the following file in the filters directory /etc/fail2ban/filter.d/fortimail-auth.conf
---start---
# Fail2Ban filter for Fortimail authentication failures # # 27/June/2016 # Author: Shane Chrisp [Definition] failregex = . client_name=".*\[<HOST>*\].* classifier=\"SMTP Auth Failure\" ignoreregex = ---end---
and finally place this file in the actions dir
/etc/fail2ban/action.d/fortigate.conf
---start---
# Fail2Ban configuration file # # Author: Shane Chrisp [Definition] actionstart = actionstop =
actioncheck = actionban = /etc/fail2ban/scripts/fortigate-add.sh <ip> actionunban = /etc/fail2ban/scripts/fortigate-del.sh <ip>
---end---
Lastly you need to add something to your fail2ban config.
I have this at the end of my /etc/fail2ban/jail.local file. This will find smtp auth attempts of more than 6 failures in the last hour and will block them for an hour. You can adjust these values to suit your own requirements.
[fortimail-auth] enabled = true filter = fortimail-auth action = fortigate logpath = /var/log/mail.log bantime = 3600 findtime = 3600 maxretry = 6
Now you should be able to restart fail2ban and rest a little more easy that your mail users passwords wont be so easily cracked.
cwispy