Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file (ip_blacklist_ratelimit.map) which is included in rspamd multimap  definition Рpermanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:


# limit outgoing authenticated users
user = {
bucket = [
{
burst = 10; # capacity of 5 messages in bucket
rate = "1 / 1min"; # leak 1 messages per minute
},
{
burst = 100; # capacity of 100 messages in bucket
rate = "30 / 60min"; # leak 30 messages per hour
}]
}
}

Rspamd multimap definition for blocking blacklisted IPs:


# block users exceeded ratelimits 5 times
IP_BLACKLIST_RATELIMIT {
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/ip_blacklist_ratelimit.map";
action = "reject";
}

Fail2ban jail configuration:


[rspamd-ratelimit]
enabled = true
action = rspamd-banip
ratelimit-alert[name=Rspamd-ratelimit, dest=terminator@myemail.com]
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:


# Fail2Ban filter for rspamd ratelimit
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:


#
# Author: Igor Mazej
#
#
[Definition]
actionstart = touch /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
[Init]

© 2019 geegkytuts.net
Hosted by Hosterdam


About author