- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Howto - Block SMTP Auth Failure with Fortigate and...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Howto - Block SMTP Auth Failure with Fortigate and Fail2ban
I thought I would share this with the members of this forum in case it comes in handy for others. I created a new filter for fail2ban as well as a new action and scripts to automatically add and remove users trying to exploit users smtp logins. This is how I went about it.
On the fortigate I created an Address Group called "SMTP_Blacklist". I then created a firewall policy from the internet to the Fortimail with the source of SMTP_Blacklist and the action of Deny.
I also added an admin user for the fail2ban script to login as and restricted it to login from the servers address only. The example I use in the scripts below is called fail2ban. Change this to admin that you create in your own fortigate.
I am assuming that you will already have fail2ban installed and configured. You will also require 'expect' installed on the system.
I created a new directory /etc/fail2ban/scripts and placed the below 2 files in it.
** Make sure you change the IP address 1.2.3.4 in these 2 files to your own fortigates IP address. **
/etc/fail2ban/scripts/fortigate-add.sh
--- start ---
#!/usr/bin/expect -f set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect "\$ " send -- "config firewall address\r" expect "(address) \$ " send -- "edit \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "set type ipmask\r" expect "\$ " send -- "set subnet $ipaddress/32\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "append member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---
/etc/fail2ban/scripts/fortigate-add.sh
--- Start ---
#!/usr/bin/expect -f set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set ipaddress [lindex $argv 0] set timeout -1 log_user 0 spawn ssh fail2ban@1.2.3.4 match_max 100000 expect -exact "fail2ban@1.2.3.4's password: " send "fail2banpasswd\r" expect "\$ " send -- "config firewall addrgrp\r" expect "\$ " send -- "edit SMTP_Blacklist\r" expect "\$ " send -- "unselect member BL_SMTP_$ipaddress\r" expect "\$ " send -- "end\r" expect "\$ " send -- "config firewall address\r" expect "\$ " send -- "delete \"BL_SMTP_$ipaddress\"\r" expect "\$ " send -- "end\r" expect "\$ " send -- "exit\r" expect eof --- end ---
place the following file in the filters directory /etc/fail2ban/filter.d/fortimail-auth.conf
---start---
# Fail2Ban filter for Fortimail authentication failures # # 27/June/2016 # Author: Shane Chrisp [Definition] failregex = . client_name=".*\[<HOST>*\].* classifier=\"SMTP Auth Failure\" ignoreregex = ---end---
and finally place this file in the actions dir
/etc/fail2ban/action.d/fortigate.conf
---start---
# Fail2Ban configuration file # # Author: Shane Chrisp [Definition] actionstart = actionstop =
actioncheck = actionban = /etc/fail2ban/scripts/fortigate-add.sh <ip> actionunban = /etc/fail2ban/scripts/fortigate-del.sh <ip>
---end---
Lastly you need to add something to your fail2ban config.
I have this at the end of my /etc/fail2ban/jail.local file. This will find smtp auth attempts of more than 6 failures in the last hour and will block them for an hour. You can adjust these values to suit your own requirements.
[fortimail-auth] enabled = true filter = fortimail-auth action = fortigate logpath = /var/log/mail.log bantime = 3600 findtime = 3600 maxretry = 6
Now you should be able to restart fail2ban and rest a little more easy that your mail users passwords wont be so easily cracked.
cwispy
http://www.2000cn.com.au
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simpler approach is to use a IPS signature for SMTP. You can block and quarantine src_ipaddress.
http://socpuppet.blogspot.com/2014/07/example-fo-smpauth-protection-fortigate.html
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only problem with the IPS approach is when dealing with SMTP Auth via SMTPS. This solution works without having to do any deep packet inspection etc. Really this type of protection should be built into the Fortimail appliances though. Im sure that many of you agree.
http://www.2000cn.com.au
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So for SMTPs you just need to pull off the encryption and the same IPS rule can be used but yes I agree FML should have the built in.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
crispy wrote:
Really this type of protection should be built into the Fortimail appliances though
I am not sure if you noticed the new addition in 5.3, SMTP authentication failure tracking. To configure:
config system security authserver
set status [enable, disable, monitor-only]
end
It uses a variety of adaptive factors, similar to our sender reputation feature to detect and block brute forcing (not just consecutive failures) and temporarily locks out (tarpitting) the user.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Related Posts
Labels
-
FortiGate
6,750 -
FortiClient
1,342 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
85 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
Interface
14 -
Logging
14 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.