Back to Blog Home
Aug 17, 2020

How To Increase Brute-Force Attack Protection Using Axigen’s Fail2Ban Linux Integration

This article focuses on brute-force attack protection for Linux servers. We have a similar piece on how you can protect your Windows servers against brute-force attacks.

A brute-force attack, also known as brute force cracking or exhaustive search, is a type of cyber-attack where the intruder tries different passwords and passphrases until they find the right combination. It may be an old attack method, but it’s still very popular among hackers thanks to its effectiveness against weak passwords

Password-guessing techniques can be very fast when used to check all short passwords. But as the password’s length increases, the average amount of time required to crack it also grows exponentially. 

That’s why long passwords with various characters offer good brute-force attack protection. But they’re not enough to keep your emails safe.

On top of Axigen’s in-product access control and flow control mechanisms, in this article we’ll show you how to use the Fail2Ban Linux integration to gain additional protection for your Axigen Mail Server against malicious attacks. 

bruteforce-attack-protection-linux-fail2ban

Brute-force attack protection using the Fail2Ban Linux integration

How Fail2Ban works against brute-force attacks:

Fail2Ban is an intrusion prevention system that offers mail servers brute-force attack protection. It works by monitoring log files and blocking the IP addresses of hosts that make too many login attempts, or perform any other unwanted action within a time frame defined by the administrator.

Optionally, you can also use Fail2Ban to custom-configure a set of procedures for “recidivist” abusers that keep coming back.

By default, the system is set up to unban a blocked host within a specified period to ensure that genuine connections are not “locked out” due to misconfigurations. Usually, an unban time of several minutes is enough to prevent a network connection from being flooded by malicious connections; it also reduces the likelihood of a successful dictionary attack.

Fail2Ban can perform multiple actions whenever an abusive IP address is detected:

  • update Netfilter / iptables or PF firewall rules; 
  • reject an IP address; 
  • send email notifications; 
  • any user-defined action that can be carried out by a Python script.

How to install and configure Fail2ban to integrate with Axigen

Here’s how you can enable the Fail2Ban Linux integration in Axigen for increased brute-force attack protection.

1. Enable Security Log in Axigen using the below CLI commands

CLI Commands to enable Security Log

<#> config server
<server#> config log
<server-log#> set enableSecurityLog yes
<server-log#> commit
<server#> commit
<#> save config
<#> quit

Restart the Axigen service 

/etc/init.d/axigen restart

2. Install Fail2Ban using your OS package-management utility 

For CentOS / RedHat

Install the Epel repository

yum install epel-release


Install fail2ban 

yum install fail2ban

For Ubuntu / Debian

Install fail2ban 

sudo apt install fail2ban

3. Create the "axigen.conf" file in /etc/fail2ban/filter.d folder and add the below configuration 

# Fail2Ban filter for axigen
#
# Revision: 2016040601
#
# If you want to protect Axigen from being bruteforced by password
# authentication then configure enableSecurityLog = yes in axigen.cfg
# and reload configuration.
#
# Log file: ${AXIGEN_WORK_DIR}/log/security.txt
# Log example: 2016-03-08 12:41:29 +0200 02 aximon SECURITY:PROXY_WEBMAIL;0002607C;82.36.25.70;61707;OP_FAIL;root@q.me;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0;Authentication error; Invalid password
#
#
# Notes:
# * Feature introduced by Axigen version 9.0
# * Axigen 9 default separator was ':'
# * Axigen 10 default separator switched to ';' (due to IPv6 address format)
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = axigen

failregex = ^%(__prefix_line)s.* SECURITY:[A-Z3_\-]+[:;][0-9A-F]+[:;][:;][0-9]+[:;]OP_FAIL[:;].*$

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

4. Edit the /etc/fail2ban/jail.d/jail.local file and add in the end the following lines 

/etc/fail2ban/jail.d/jail.local
[axigen]
enabled = true
backend = polling
logpath = /var/opt/axigen/log/security.txt
banaction = iptables-allports
maxretry = 10
findtime = 600
bantime = 600


Create the file /etc/fail2ban/jail.d/jail.local if it doesn’t exist.

If the security log file (security.txt) is not in the default location change the value of logpath with the correct one.

5. Add the trusted IP(s) to ignore list - whitelist

To avoid admin lockout, you may add your IP to the ignore list in /etc/fail2ban/jail.conf config file:

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 192.168.1.10 192.168.2.0/24

6. Enable and start the fail2ban service 

systemctl enable fail2ban
systemctl start fail2ban

7. Check the list of banned IPs

fail2ban-client status <JAIL_NAME>


Example: 

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.4.145

8. Unban an IP address

fail2ban-client set <YOUR_JAIL_NAME> unbanip <IP_ADDRESS>


Example: 

# fail2ban-client set axigen unbanip 192.168.4.145
  
1

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list: