• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Announcement

Collapse

"Feature Requests" has a new home

Join the Axigen Product Community!



Influence Axigen's future product evolution – vote on existing feature requests or create your own.


Join our product community
See more
See less

Brute force (fail2ban style) protection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Brute force (fail2ban style) protection

    Any chance there will be added a feature for brute force authentication attack protection, ala fail2ban style? thanks.

  • #2
    *** UPDATE ***
    This workaround should be used only for Axigen versions lower than 9.
    If you are using a newer one please enable built in security log and check the integration details provided at post #8
    ***


    We are evaluating this feature request and most probably one of the next releases will provide the requested information.

    Till than please use the following workaround:

    A1. Create the following bash script (for example name it axilog.sh under /opt/axigen/bin)
    Code:
    #!/bin/bash
    
    # $1 - log file to be used
    
    LOG_AXI="/var/opt/axigen/log/everything.txt"
    
    if [ -z "$1" ]
    then
      LOG_SEC=/var/opt/axigen/log/secure.txt
    else
      LOG_SEC="$1"
    fi
    
    tail --retry --follow=name "$LOG_AXI" | while read l
    do
      timestamp=$(date '+%d-%m-%Y %T')
      case "$l" in
        *"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*)   sid=$(echo "$l" | awk '{print $6}')
                                    if [ -n "$sid" ]
                                    then
                                      con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g')
                                      if [ -n "$con_ip" ]
                                      then
                                        echo "$timestamp $l from $con_ip" >> "$LOG_SEC"
                                      fi
                                    fi
                                    ;;
      esac
    done
    A2. Configure the script to auto-run (for example through /etc/inittab)

    Notes:
    • If Axigen is logging in other place than the default location you should adapt $LOG_AXI variable
    • Do not forget to configure one 'log rotate' rule for secure.txt file
    Test if everything is working OK by starting the log script and check the output written into secure.txt file. For example when an invalid password is used on IMAP you should see something like:

    28-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user 'user1@localdomain': Invalid password from 192.168.1.101
    B1. Add the following Fail2ban filter (for example create a new file named axigen.cfg under /etc/fail2ban/filter.d)
    Code:
    # Fail2Ban configuration file
    
    [Definition]
    failregex = from <HOST>
    B2. Configure this new filter in Fail2ban to scan the new log file

    If you encounter any problems please report here and we'll try to provide some help.
    Last edited by indreias; 06-02-2016, 06:40 AM.

    Comment


    • #3
      We tested the script and it works like a charme! Thank you very much!

      Comment


      • #4
        Thank you for the feedback.

        Could you share how much CPU is 'eating' the log parser (in our example axilog.sh) on your system?

        Comment


        • #5
          We have several servers ... I would like to tell you. Do you have any reliable method for measuring the CPU consumption?

          Comment


          • #6
            sure - you have to identify the process id of the log parser (in our example axilog.sh) and use top to display information only for that specific pid

            for example on a production front end node where are generated near 500 log lines per second we something like:

            Code:
            top -p $(ps -ef | grep axilog.sh | grep -v "grep\|00:00:00" | awk '{print $2}')
              PID USER      VIRT  SHR S %CPU %MEM P SWAP   TIME CODE DATA nFLT nDRT WCHAN     Flags    COMMAND
              954 root      103m  708 R 23.0  0.0 3    0   0:28  848  288    0    0 pipe_wait ..4.2.4. axilog.sh

            Comment


            • #7
              Any hint for a similar solution for Windows servers would be greatly appreciated.
              This is a dearly missed feature at the moment.

              Thanks

              Comment


              • #8
                For anybody interested in Axigen fail2ban protection below you'll have the filter file (axigen.conf) to be installed in Fail2ban filter.d directory:
                Code:
                # Fail2Ban filter for axigen
                #
                # Revision: 2016040601
                #
                # If you want to protect Axigen from being bruteforced by password
                # authentication then configure enableSecurityLog = yes in axigen.cfg
                # and reload configuration.
                #
                # Log file: ${AXIGEN_WORK_DIR}/log/security.txt
                # Log example: 2016-03-08 12:41:29 +0200 02 aximon SECURITY:PROXY_WEBMAIL;0002607C;82.36.25.70;61707;OP_FAIL;root@q.me;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0;Authentication error; Invalid password
                #
                #
                # Notes:
                #   * Feature introduced by Axigen version 9.0
                #   * Axigen 9  default separator was ':'
                #   * Axigen 10 default separator switched to ';' (due to IPv6 address format)
                #
                
                [INCLUDES]
                
                # Read common prefixes. If any customizations available -- read them from
                # common.local
                before = common.conf
                
                [Definition]
                
                _daemon = axigen
                
                failregex = ^%(__prefix_line)s.* SECURITY:[A-Z_\-]+[:;][0-9A-F]+[:;]<HOST>[:;][0-9]+[:;]OP_FAIL[:;].*$
                
                ignoreregex =
                
                [Init]
                
                # "maxlines" is number of log lines to buffer for multi-line regex searches
                maxlines = 10

                The filter could be configured through jail.local like below:
                Code:
                [axigen]
                enabled = true
                backend = polling
                logpath = /var/opt/axigen/log/security.txt
                banaction = iptables-allports
                maxretry  = 10
                findtime  = 600
                bantime   = 600
                HTH,
                Ioan
                Last edited by indreias; 04-03-2017, 01:08 PM.

                Comment


                • #9
                  For CSF+LFD (ConfigServer Security and Firewall + Login Failure Daemon) you could add the following section in the regex.custom.pm file
                  Code:
                  #
                  # CSF/LFD filter for Axigen
                  #
                  # Revision: 2016040601
                  #
                  # If you want to protect Axigen from being bruteforced by password
                  # authentication then configure enableSecurityLog = yes in axigen.cfg
                  # and reload configuration.
                  #
                  # Log file: in csf.conf, set CUSTOM9_LOG to ${AXIGEN_WORK_DIR}/log/security.txt
                  # Log example: 2016-03-08 12:41:29 +0200 02 aximon SECURITY:PROXY_WEBMAIL;0002607C;82.36.25.70;61707;OP_FAIL;root@q.me;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0;Authentication error; Invalid password
                  #
                  # Notes:
                  #   * Feature introduced by Axigen version 9.0
                  #   * Axigen 9  default separator was ':'
                  #   * Axigen 10 default separator switched to ';' (due to IPv6 address format)
                  #
                      if (($globlogs{CUSTOM9_LOG}{$lgfile}) and ($line =~ / SECURITY[:;]([A-Z_\-]+)[:;][0-9A-F]+[:;](\S+)[:;][0-9]+[:;]OP_FAIL[:;](\S+)[:;]/)) {
                          $axiSRV = $1; $axiIP = $2; $axiACC = $3; $axiIP =~ s/^::ffff://;
                          if (checkip(\$axiIP) and ($axiSRV != "")) {return ("Failed Axigen-$axiSRV login '$axiACC' from",$axiIP,"AXImatch","5","25,80,110,143,443,465,587,993,995","3600")} else {return}
                      }
                  Last edited by indreias; 04-06-2016, 07:43 AM.

                  Comment


                  • #10
                    FYI, at least on OpenSuSE platforms, for Fail2Ban, the axigen.conf file goes in /etc/fail2ban/filter.d folder. There is no directory called conf.d

                    Comment


                    • #11
                      Hello Marc,

                      Thank you for your note - I have updated the post with the correct filter location.

                      Best regards,
                      Ioan

                      Comment

                      Working...
                      X