mb-guardian Service¶
Security monitoring and intrusion detection daemon providing real-time threat detection.
Overview¶
mb-guardian monitors system security and detects threats:
- Brute force detection - Failed login monitoring
- Rate limiting - Excessive request detection
- Anomaly detection - Unusual patterns
- Threat response - Automatic blocking
- Security alerts - Real-time notifications
- Fail2ban integration - IP blocking
Protects against authentication attacks and abuse.
Key Functions¶
Authentication Monitoring¶
Tracks: - Failed login attempts - Password reset abuse - 2FA bypass attempts - Session hijacking patterns - API key abuse
Actions: - Account locking (after N failures) - IP blocking (fail2ban) - Alert administrators - Log security events
Rate Limiting¶
Monitors: - Login attempts per IP - Email submission rate - API request rate - Password reset requests
Limits: - 5 failed logins / 5 minutes → Lock account - 10 failed logins / hour → Block IP - 100 emails / hour per user - 1000 API requests / hour
Anomaly Detection¶
Patterns detected: - Login from new location - Login at unusual time - Sudden spike in activity - Privilege escalation attempts - Mass email sending
Configuration¶
Service file: /etc/systemd/system/mb-guardian.service
[Unit]
Description=Mailborder Security Guardian
After=network.target mb-rpcd.service
Requires=mb-rpcd.service
[Service]
Type=forking
User=mailborder
Group=mailborder
ExecStart=/usr/libexec/mailborder/php_enc/mb-guardian start
ExecStop=/usr/libexec/mailborder/php_enc/mb-guardian stop
PIDFile=/var/run/mailborder/mb-guardian.pid
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Security Settings¶
Failed login thresholds:
sudo mb-config set guardian.max_failed_logins 5
sudo mb-config set guardian.lockout_duration 300 # 5 minutes
sudo mb-config set guardian.ip_ban_threshold 10
sudo mb-config set guardian.ip_ban_duration 3600 # 1 hour
Rate limits:
sudo mb-config set guardian.email_rate_limit 100 # per hour
sudo mb-config set guardian.api_rate_limit 1000 # per hour
sudo mb-config set guardian.login_rate_limit 10 # per hour
Anomaly detection:
sudo mb-config set guardian.anomaly_detection true
sudo mb-config set guardian.alert_on_anomaly true
sudo mb-config set guardian.alert_email security@example.com
Operations¶
Start/stop:
Real-time monitoring:
Manual Actions¶
Block IP manually:
Unblock IP:
List blocked IPs:
Unlock user account:
Monitoring¶
Security Dashboard¶
View security status:
Example output:
Security Status
===============
Threat Level: LOW
Last 24 Hours:
Failed logins: 234
Accounts locked: 5
IPs blocked: 12
Anomalies detected: 3
Currently Blocked:
IPs: 45
Accounts: 5
Active Threats:
None detected
Security Events¶
Recent security events:
Filter by type:
sudo mb-guardian-events --type failed_login
sudo mb-guardian-events --type account_locked
sudo mb-guardian-events --type ip_blocked
sudo mb-guardian-events --type anomaly
Date range:
Alerts¶
Configure alerts:
# Email on security events
sudo mb-config set guardian.alert_email security@example.com
# Alert thresholds
sudo mb-config set guardian.alert_failed_logins 50 # per hour
sudo mb-config set guardian.alert_blocked_ips 10 # per hour
Alert example:
Subject: Mailborder Security Alert
Event: Brute Force Attack Detected
IP: 198.51.100.25
Target: admin@example.com
Failed Attempts: 15 in 5 minutes
Action: IP blocked for 1 hour
Recent Activity:
2025-01-13 14:23:45 Failed login admin@example.com
2025-01-13 14:24:12 Failed login admin@example.com
2025-01-13 14:24:38 Failed login admin@example.com
...
2025-01-13 14:28:56 IP blocked 198.51.100.25
Integration¶
Fail2ban¶
Guardian triggers fail2ban actions:
/etc/fail2ban/jail.local:
[mailborder]
enabled = true
port = http,https,smtp
filter = mailborder
logpath = /var/log/mailborder/security.log
maxretry = 5
bantime = 3600
findtime = 300
Manual fail2ban check:
Security Logging¶
Logs written to: - /var/log/mailborder/security.log - All security events - /var/log/mailborder/auth.log - Authentication attempts - /var/log/audit/audit.log - System audit trail (if auditd enabled)
Syslog integration:
Threat Response¶
Automatic Actions¶
On brute force detection: 1. Lock target account after N failures 2. Block source IP via fail2ban 3. Send alert to security team 4. Log to audit trail
On rate limit exceeded: 1. Temporarily block requests 2. Alert administrators 3. Log violation
On anomaly detected: 1. Increase monitoring 2. Alert security team 3. Optional: Force re-authentication
Manual Response¶
Investigate incident:
# View attacker's attempts
sudo mb-audit-log --ip 198.51.100.25
# Check if ongoing
sudo mb-guardian-status | grep 198.51.100.25
# Block permanently if malicious
sudo mb-blacklist add 198.51.100.25
Best Practices¶
Security Configuration¶
-
Enable all protections:
-
Conservative thresholds:
- Start strict, relax if needed
-
Better false positive than compromise
-
Alert promptly:
- Real-time security notifications
- Escalation procedures
Monitoring¶
- Review security logs daily
- Investigate anomalies immediately
- Track trends (increasing attacks?)
- Update response procedures
Incident Response¶
- Document all incidents
- Preserve logs
- Review and improve defenses
- Share threat intelligence
Troubleshooting¶
Too Many Lockouts¶
Legitimate users getting locked:
# Increase threshold
sudo mb-config set guardian.max_failed_logins 10
# Reduce ban duration
sudo mb-config set guardian.lockout_duration 180 # 3 minutes
Missing Attacks¶
Attacks not detected:
# Check guardian is running
sudo systemctl status mb-guardian
# Enable debug logging
sudo mb-config set guardian.log_level debug
sudo systemctl reload mb-guardian
# Review detection thresholds
sudo mb-config show guardian
False Positives¶
Legitimate activity flagged:
# Whitelist IP
sudo mb-guardian-whitelist 203.0.113.50 --reason "Office IP"
# Adjust anomaly sensitivity
sudo mb-config set guardian.anomaly_sensitivity medium # or low
See Also¶
- Authentication - Auth configuration
- Security Hardening - Security best practices
- Audit Logs - Log reference