Debian exim/dovecot email server with Saltstack – Security

A couple of basic security utilities: fail2ban and logcheck.

srv/salt/fail2ban.sls

Fail2ban scans the SSHD log files looking for failed login attempts. After a few attempts from one IP address it adds a firewall rule to block that IP address from further connections. Given that any SSHD exposed to the Internet will receive a continuous stream of connection attempts within seconds of going online, protection of this kind is very necessary.

Fail2ban is very simple to set up – just install it!

# Installs fail2ban to protect the SSH connection
fail2ban:
  pkg:
    - installed
  service.running:
    - enable: True

srv/salt/logcheck.sls

Logcheck scans log files and looks for lines it doesn’t recognise. The lines it doesn’t recognise it sends via email to me. To avoid being swamped by emails with lots of irrelevant log lines it is important to configure logcheck with custom rules. If you are getting lots of irrelevant log emails you won’t read them and will fail to see signs of an attack. In particular it is important to get emails when anyone manages to log in.

# Installs and configures the logcheck package
# https://debian-handbook.info/browse/stable/sect.supervision.html#sect.logcheck
# Logcheck sends unusual log files to the sysadmin via email
logcheck:
  pkg.installed:
    - name: logcheck

# Our file containing log lines to ignore
/etc/logcheck/ignore.d.server/local-mb:
  file.managed:
    - source: 'salt://logcheck/local-mb'
    - user: root
    - group: logcheck
    - mode: '0644' # -rw-r--r--

srv/salt/logcheck/local-mb

This file contains the log lines that I want to ignore. I’m not going to publish all my rules here; I strongly recommend you develop your own for the rules you find on your system. The logcheck-test utility makes this easy, as long as you like regular expressions!

This is an example rule:

^\w{3} [ :[:digit:]]{11} info sshd\[[[:digit:]]+\]: Received disconnect from [[:digit:].]+ port [[:digit:]]+:[[:digit:]]+:[[:space:][:alnum:]]* *\[preauth] *$

^\w{3} [ :[:digit:]]{11} matches the date section of the log line.

info sshd[[[:digit:]]+]: matches info sshd[345]:

We’ve then got the main bit of the log line. It is a good idea to keep the regular expressions as specific as possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.