Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
crispy
New Contributor

Howto - Block SMTP Auth Failure with Fortigate and Fail2ban

I thought I would share this with the members of this forum in case it comes in handy for others. I created a new filter for fail2ban as well as a new action and scripts to automatically add and remove users trying to exploit users smtp logins. This is how I went about it.

 

On the fortigate I created an Address Group called "SMTP_Blacklist". I then created a firewall policy from the internet to the Fortimail with the source of SMTP_Blacklist and the action of Deny.

 

I also added an admin user for the fail2ban script to login as and restricted it to login from the servers address only. The example I use in the scripts below is called fail2ban. Change this to admin that you create in your own fortigate.

 

I am assuming that you will already have fail2ban installed and configured. You will also require 'expect' installed on the system.

 

I created a new directory /etc/fail2ban/scripts and placed the below 2 files in it.

 

** Make sure you change the IP address 1.2.3.4 in these 2 files to your own fortigates IP address. **

 

/etc/fail2ban/scripts/fortigate-add.sh

--- start ---

#!/usr/bin/expect -f set force_conservative 0  ;# set to 1 to force conservative mode even if               ;# script wasn't run conservatively originally if {$force_conservative} {     set send_slow {1 .1}     proc send {ignore arg} {         sleep .1         exp_send -s -- $arg     } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect  "\$ " send -- "config firewall address\r" expect "(address) \$ " send -- "edit \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "set type ipmask\r" expect "\$ " send -- "set subnet $ipaddress/32\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "append member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---

 

 

/etc/fail2ban/scripts/fortigate-add.sh

--- Start ---

#!/usr/bin/expect -f set force_conservative 0  ;# set to 1 to force conservative mode even if               ;# script wasn't run conservatively originally if {$force_conservative} {     set send_slow {1 .1}     proc send {ignore arg} {         sleep .1         exp_send -s -- $arg     } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect  "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "unselect member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall address\r" expect "\$ " send -- "delete \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---

 

place the following file in the filters directory /etc/fail2ban/filter.d/fortimail-auth.conf

---start---

# Fail2Ban filter for Fortimail authentication failures # # 27/June/2016 # Author: Shane Chrisp [Definition] failregex = . client_name=".*\[<HOST>*\].* classifier=\"SMTP Auth Failure\" ignoreregex = ---end---

 

and finally place this file in the actions dir

/etc/fail2ban/action.d/fortigate.conf

---start---

# Fail2Ban configuration file # # Author: Shane Chrisp [Definition] actionstart = actionstop =

actioncheck = actionban = /etc/fail2ban/scripts/fortigate-add.sh <ip> actionunban = /etc/fail2ban/scripts/fortigate-del.sh <ip>

---end---

 

Lastly you need to add something to your fail2ban config.

I have this at the end of my /etc/fail2ban/jail.local file. This will find smtp auth attempts of more than 6 failures in the last hour and will block them for an hour. You can adjust these values to suit your own requirements.

 

[fortimail-auth] enabled  = true filter   = fortimail-auth action   = fortigate logpath  = /var/log/mail.log bantime  = 3600 findtime = 3600 maxretry = 6

 

Now you should be able to restart fail2ban and rest a little more easy that your mail users passwords wont be so easily cracked.

 

cwispy

http://www.2000cn.com.au
4 REPLIES 4
emnoc
Esteemed Contributor III

A simpler approach is to use a IPS signature for SMTP. You can block and quarantine src_ipaddress.

 

http://socpuppet.blogspot.com/2014/07/example-fo-smpauth-protection-fortigate.html

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
crispy
New Contributor

The only problem with the IPS approach is when dealing with SMTP Auth via SMTPS. This solution works without having to do any deep packet inspection etc. Really this type of protection should be built into the Fortimail appliances though. Im sure that many of you agree.

http://www.2000cn.com.au
emnoc
Esteemed Contributor III

So for SMTPs you just need to pull off the encryption and the same  IPS rule can be used but yes I agree FML should have the built in.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Windsor_FTNT

crispy wrote:
Really this type of protection should be built into the Fortimail appliances though

 

I am not sure if you noticed the new addition in 5.3, SMTP authentication failure tracking.  To configure:

 

config system security authserver

      set status [enable, disable, monitor-only]

end

 

It uses a variety of adaptive factors, similar to our sender reputation feature to detect and block brute forcing (not just consecutive failures) and temporarily locks out (tarpitting) the user.

 

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors