{"id":689,"date":"2019-10-24T17:08:29","date_gmt":"2019-10-24T15:08:29","guid":{"rendered":"https:\/\/www.tiraquelibras.com\/blog\/?p=689"},"modified":"2021-02-02T11:03:14","modified_gmt":"2021-02-02T10:03:14","slug":"servidor-de-correo-instalacion-y-configuracion-fail2ban-parte-13-15","status":"publish","type":"post","link":"https:\/\/blog.tiraquelibras.com\/?p=689","title":{"rendered":"Servidor de correo &#8211; Instalaci\u00f3n y configuraci\u00f3n Fail2ban (parte 13)"},"content":{"rendered":"<p>Esta es una entrada dentro de la serie para la instalaci\u00f3n de un servidor de correo completo. \u00cdndice completo de contenidos pincha <a href=\"https:\/\/blog.tiraquelibras.com\/?p=601\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">aqu\u00ed<\/a>.<\/p>\n<hr \/>\n<p>Fail2ban es una aplicaci\u00f3n desarrollada en Python destinada a la prevenci\u00f3n de intrusos en un sistema, evitando intentos de acceso por fuerza bruta. M\u00e1s informaci\u00f3n en su web oficial pinchando <a href=\"https:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">aqu\u00ed<\/a>.<\/p>\n<p>Vamos a utilizarlo para proteger los intentos de acceso a Postfix, Dovecot, Rainloop, entre otros.<\/p>\n<hr \/>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a0c92d6d1d4e\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a0c92d6d1d4e\"  aria-label=\"Alternar\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=689\/#Instalacion\"  rel=\"nofollow\" target=\"_blank\">Instalaci\u00f3n<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=689\/#Configuracion\"  rel=\"nofollow\" target=\"_blank\">Configuraci\u00f3n<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=689\/#Rainloop\"  rel=\"nofollow\" target=\"_blank\">Rainloop<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=689\/#Desbloquear_una_IP\"  rel=\"nofollow\" target=\"_blank\">Desbloquear una IP<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"Instalacion\"><\/span>Instalaci\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Instalamos Fail2ban con el comando<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">sudo apt-get install fail2ban<\/pre>\n<p>El programa se instala e inicia con protecci\u00f3n sobre el puerto 22 por defecto.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Chain INPUT (policy DROP 1 packets, 52 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n   11   632 f2b-sshd   tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 22\r\n<\/pre>\n<p>Lo agregamos en el inicio del sistemas:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">systemctl enable fail2ban<\/pre>\n<hr \/>\n<h1><span class=\"ez-toc-section\" id=\"Configuracion\"><\/span>Configuraci\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>En Debian, por defecto los filtros de Fail2ban se encuentran en <strong><em>\/etc\/fail2ban\/jail.conf<\/em><\/strong> y en <strong><em>\/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/em><\/strong>. <span style=\"color: #ff0000;\"><strong>Los ajustes en el segundo archivo anular\u00e1n los correspondientes con el primero.<\/strong><\/span><\/p>\n<p>Con los siguientes comandos podemos ver m\u00e1s informaci\u00f3n:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">cat \/etc\/fail2ban\/jail.conf | less\r\ncat \/etc\/fail2ban\/jail.d\/defaults-debian.conf\r\nfail2ban-client status\r\nfail2ban-client status sshd\r\n<\/pre>\n<p>Por ejemplo:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">root@xxx:~# fail2ban-client status\r\n\r\nStatus\r\n\r\n|- Number of jail:\u00a0\u00a0\u00a0\u00a0\u00a0 1\r\n\r\n`- Jail list:\u00a0\u00a0 sshd\r\n\r\nroot@xxx:~# fail2ban-client status sshd\r\n\r\nStatus for the jail: sshd\r\n\r\n|- Filter\r\n\r\n|\u00a0 |- Currently failed: 8\r\n\r\n|\u00a0 |- Total failed:\u00a0\u00a0\u00a0\u00a0 39\r\n\r\n|\u00a0 `- File list:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/log\/auth.log\r\n\r\n`- Actions\r\n\r\n\u00a0\u00a0 |- Currently banned: 3\r\n\r\n\u00a0\u00a0 |- Total banned:\u00a0\u00a0\u00a0\u00a0 3\r\n\r\n\u00a0\u00a0 `- Banned IP list:\u00a0\u00a0 206.189.232.29 159.65.185.225 92.42.47.33<\/pre>\n<p>Ahora cambiamos la configuraci\u00f3n. Editamos el archivo <strong><em>\/etc\/fail2ban\/jail.conf<\/em><\/strong>, pero antes hacemos una copia de este<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">cp jail.conf jail.orig<\/pre>\n<p><strong><em>\u00a0<\/em><\/strong>y cambiamos la configuraci\u00f3n del archivo original:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[DEFAULT]\r\n\r\nbantime = 600\r\n...\r\nmaxentry = 5\r\n\r\n[sshd]\r\n\r\nport = ssh\r\nlogpath = %(sshd_log)s\r\nbackend = %(sshd_backend)s\r\n<\/pre>\n<p>Ahora vamos a ver el contenido del archivo <strong><em>\/etc\/fail2ban\/jail.d\/defaults-debian.conf <\/em><\/strong>que sobreescribir\u00e1 lo que le indiquemos al anterior:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[sshd]\r\n\r\nenabled = true<\/pre>\n<p>Como el contenido de los dos archivos anteriores podr\u00eda cambiar en futuras actualizaciones, debemos de crear un archivo local de configuraci\u00f3n para almacenar nuestras propias reglas. <strong>De nuevo, las configuraciones en este archivo sobreescribir\u00e1n la de los dos archivos anteriores<\/strong>. Lo creamos<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">nano \/etc\/fail2ban\/jail.d\/jail-debian.local<\/pre>\n<p>con el siguiente contenido, y vamos indicando los servicios a proteger:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[sshd]\r\nport = 22\r\nmaxentry = 3\r\n\r\n[dovecot]\r\nenabled = true\r\nport = pop3,pop3s,imap,imaps\r\nfilter = dovecot\r\nlogpath = \/var\/log\/dovecot.log\r\nmaxretry  = 3\r\n\r\n[postfix]\r\nenabled  = true\r\nport     = smtp,ssmtp\r\nfilter   = postfix\r\nlogpath  = \/var\/log\/mail.log\r\nmaxretry  = 3\r\n\r\n[apache]\r\nenabled = true\r\nport    = http,https\r\nfilter  = apache-auth\r\nlogpath = \/var\/log\/apache*\/*error.log\r\nmaxretry = 3\r\n\r\n<\/pre>\n<p>Pero Postfix para los clientes de correo usa SASL y no lo est\u00e1 bloqueando con la configuraci\u00f3n por defecto, por lo que agregamos la siguientes l\u00edneas:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[postfix-sasl]\r\nenabled  = true\r\n#port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s\r\nport     = smtp,ssmtp,submission\r\nfilter   = postfix-sasl\r\n# You might consider monitoring \/var\/log\/warn.log instead\r\n# if you are running postfix. See http:\/\/bugs.debian.org\/507990\r\nlogpath  = \/var\/log\/mail.log\r\nmaxretry = 3\r\n<\/pre>\n<p>Y para finalizar agregamos contenido extra al archivo <strong><em>\/etc\/fail2ban\/jail.d\/ jail-debian.local<\/em><\/strong>, indicando las direcciones IP que no va a filtrar el sistema y el email al que nos enviar\u00e1 notificaciones cuando se bloquea o desbloquea una IP concreta:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[DEFAULT]\r\nignoreip = 127.0.0.1\/8 X.X.X.X\/32\r\ndestemail = email@email.com\r\nsender = Fail2Ban\r\naction = %(action_mw)s\r\n<\/pre>\n<p>Reiniciamos Fail2ban y quedar\u00eda protegido<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">systemctl fail2ban restart<\/pre>\n<p>Ahora si vemos las reglas del Firewall <strong>IPTABLES<\/strong> podemos ver las reglas para <strong>Fail2ban<\/strong>, con el siguiente comando:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">iptables -L -n -v<\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">pkts bytes target     prot opt in     out     source               destination\r\n   21  2285 f2b-apache  tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 80,443\r\n   55  4731 f2b-postfix-sasl  tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 25,465,587\r\n    0     0 f2b-dovecot  tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 110,995,143,993,4190\r\n   52  4551 f2b-postfix  tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 25,465,587\r\n    0     0 f2b-sshd   tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 22\r\n<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Rainloop\"><\/span>Rainloop<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ahora vamos a proteger el servicio de Webmail instalado Rainloop.<\/p>\n<p>Editamos la configuraci\u00f3n de Rainloop para habilitar el log destinado a Fail2ban. Editamos el archivo <strong><em>\/var\/www\/html\/email.tiraquelibras.com\/data\/_data_\/_default_\/configs\/application.ini<\/em><\/strong> y lo configuramos:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">\u2026\r\n#time_offset = \"0\"\r\ntime_offset = \"2\"\r\n\u2026\r\n; Enable auth logging in a separate file (for fail2ban)\r\nauth_logging = On\r\n#auth_logging_filename = \"fail2ban\/auth-{date:Y-m-d}.txt\"\r\nauth_logging_filename = \"fail2ban\/auth.log\"\r\nauth_logging_format = \"{date:Y-m-d H:i:s} Auth failed: ip:{request:ip} user:{imap:login} host:{imap:host} port:{imap:port}\"\r\n<\/pre>\n<p><strong><span style=\"color: #ff0000;\">Los registros de log de Rainloop usan el formato <span style=\"color: #000000;\">GMT<\/span> y no hay forma de cambiarlo. Por este motivo debemos de agregar dos horas al formato <span style=\"color: #000000;\">GMT<\/span> en el campo<span style=\"color: #000000;\"> <em>time_offset<\/em> <\/span>y cambiarlo en cada cambio de uso horario (verano \u2013 invierno), ya que de lo contrario Fail2Ban no es capaz de identificar el log en tiempo real y lo descartar\u00eda.<\/span><\/strong><\/p>\n<p>Creamos el archivo <strong><em>\/etc\/fail2ban\/jail.d\/rainloop-auth.conf<\/em><\/strong> con el siguiente contenido:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[rainloop-auth]\r\nenabled = true\r\nfilter = rainloop-auth\r\nport = http,https\r\nlogpath = \/var\/www\/html\/correu2.yeloquehay.com\/data\/_data_\/_default_\/logs\/fail2ban\/auth.log\r\nbantime = 600\r\nmaxretry = 3\r\n<\/pre>\n<p>Y el archivo con la expresi\u00f3n regular <strong><em>\/etc\/fail2ban\/filter.d\/rainloop-auth.conf<\/em><\/strong>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\"># Fail2Ban configuration file\r\n#\r\n# Author: eRVee Moskovic\r\n#\r\n# $Revision$\r\n#\r\n\r\n[Definition]\r\n\r\n# Option: failregex\r\n# Notes.: regex to match the password failures messages in the logfile. The\r\n#          host must be matched by a group named \"host\". The tag \"&lt;HOST&gt;\" can\r\n#          be used for standard IP\/hostname matching.\r\n# Values: TEXT\r\n#\r\n\r\n#failregex = Auth failed: ip=&lt;HOST&gt; user=.* host=.* port=.*\r\nfailregex = Auth failed\\: ip\\:&lt;HOST&gt; user\\:.* host\\:.* port\\:.*$\r\n\r\n#\r\nignoreregex =\r\n<\/pre>\n<p>Recargamos la configuraci\u00f3n con el comando:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">systemctl reload fail2ban<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Desbloquear_una_IP\"><\/span>Desbloquear una IP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Para desbloquear una IP en alguna regla de Fail2ban usamos el comando<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">sudo fail2ban-client set &lt;nom_filtro&gt; unbanip &lt;IP&gt;<\/pre>\n<p>Por ejemplo:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">sudo fail2ban-client set postfix-sasl unbanip X.X.X.X<\/pre>\n<hr \/>\n<p>\u00cdndice general pincha <a href=\"https:\/\/blog.tiraquelibras.com\/?p=601\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">aqu\u00ed<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Esta es una entrada dentro de la serie para la instalaci\u00f3n de un servidor de correo completo. \u00cdndice completo de contenidos pincha aqu\u00ed. Fail2ban es<span class=\"read-more-link\"><a class=\"read-more\" href=\"https:\/\/blog.tiraquelibras.com\/?p=689\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":690,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,22],"tags":[83,84,56],"class_list":["post-689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sistemas","category-ti","tag-antiddos","tag-brute-force","tag-firewall"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=689"}],"version-history":[{"count":0,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/689\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/media\/690"}],"wp:attachment":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}