Secure Postfix and OpenSSH with Fail2ban and UFW

I am not going deep into “how to install fail2ban”, there are many tutorials around and it all is reduced to a simple apt-get install fail2ban.
Let’s get straight to have our SSH and Postfix server protected!

In the configuration folder of fail2ban, /etc/fail2ban you will find several folders and config file. I use to create a new jail.local that does not depend by the main jail.conf.
I like to start from an empty page!

The jail.local contain:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400 
# 24 hours of ban time is enough... isn't it?
# use a negative value (-1) to permaban!
findtime = 600
maxretry = 3
backend = auto
usedns = warn

#
# ACTIONS
#
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s

#
# JAILS
#

# this configuration overwrites the default jail.conf
[ssh]
enabled  = true
banaction = ufw-ssh
port     = 22
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

[postfix]
enabled  = true
banaction = ufw-postfix
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 2

This configuration file contains the definitions of our services. SSH and Postfix.
The banaction is the action to take when the filter finds something in the logpath log file.

About the SSH, we will create a new file inside /etc/fail2ban/action.d containing:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH

And a modified version for the Postfix is:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any port 25
actionunban = ufw delete deny from <ip> to any port 25

The filters are setup already by the system, both for the ssh and postfix!

Once we restart fail2ban, the new configuration will be applied!

service fail2ban restart

I tend to let Nagios control fail2ban status and report everything to me.
In the server where fail2ban is installed, the NRPE plugin will contain this string:

command[check_log_fail2ban]=/usr/local/nagios/libexec/check_log3.pl -l /var/log/fail2ban.log -p 'Ban' -w 3 -c 5

I am using the plugin check_log3.pl which I found to be effective for my scope!

The Nagios settings for this plugin are modified:
The SERVER.cfg:

define service{
        use                             fail2banlog-service
        host_name                       myserver
        service_description             Fail2ban
        check_command                   check_nrpe_cert!check_log_fail2ban
        }

The service-template (fail2banlog-service) use this configuration:

define service{
        name                            fail2banlog-service
        use                             generic-service
        flap_detection_enabled          0
        retain_status_information       0
        retain_nonstatus_information    0
        is_volatile                     1
        max_check_attempts              1
        check_interval                  4
        retry_interval                  2
        notification_interval           0
        register                        0
        }

Allows me to NOT keep any memory of the service status (When Nagios restarts/reboots the plugin become gray and then back green when it is checked and no intruders tried to get in).
All I want Nagios to do is to control when I am getting flooded by tentatives both from SSH and Postfix, where -w 3 -c 5 means max 3 tentatives for a warning status and 5 for critical.

If you did read my tutorial on installing Nagios 4 with NRPE 2.16, you will know how to setup Nagios within few minutes ;) Although the developer removed this version of NRPE and I haven’t tested the latest. I guess should not be much different.