PermaLink Protect your IBM Lotus Domino Server against brute force attacks on non HTTP ports01/30/2009 10:30 AM
I am sure you are familiar with Internet Password Lockout which was added in version 8. It's a nice feature everybody likes to use having a Domino Server reachable from all the Internet. Unfortunately this feature works for HTTP and HTTPS only. If you use authenticated SMTP, for example allow some mobile users to relay emails, there is no protection....
On a Domino Server I was seeing lots of break in attempts:
01/23/2009 19:50:37 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:38 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:39 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:40 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140
01/23/2009 19:50:41 SMTP Server: Authentication failed for user abc ; connecting host 125.120.107.140

As the operting system is Linux, the weapon of chice was fail2ban, a python based script that adds IPs for a given time to the iptables firewall rules to lock out the attacker.

To get fail2ban working with Domino I had to patch the file datedetector.py as the date format used by Domino was not detected automatically. Add the following lines to the list of date formats:
# Domino format [01/23/2006 09:22:55]
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)

In the directory /etc/fail2ban/filter.d create a file domino-smtp.conf:
# Fail2Ban configuration file
#
# Author: Christian A. Brandlehner
#
# $Revision: 001 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
# Sample log entry
# 01/23/2009 19:54:51 SMTP Server: Authentication failed for user bd ; connecting host 125.120.107.140
#
failregex = .* SMTP Server: Authentication failed for user .* connecting host <HOST>


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

To activate the jail edit /etc/fail2ban/jail.conf and edit these line:
[domino-smtp]
# Note: make sure you have console logging enabled. If not say "start consolelog" on Dominos console.
enabled = true
port = smtp,465
protocol = tcp
filter = domino-smtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

Start fail2ban and monitor /var/log/fail2ban.log for messages that looks like:
2009-01-30 09:56:14,216 fail2ban.actions: WARNING [domino-smtp] Ban 90.152.223.221

This still needs some tuning to set how long an IP will be blocked, how many retries are allowed before blocking, etc.
This page has been accessed 3778 times. .
Disclaimer
The weblog represent my personal views and comments and does not represent the views of my current or previous employers or customers.
About me
By Category
The BlogRoll
Christians sites
other Bloggers
netcraft Linux host Blog Admin OpenNTF
Monthly Archive