設定 Fail2Ban 阻絕暴力破解 dovecot / sendmail / bind / openvpn / ssh / apache 方式
前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.
- 安裝 Fail2Ban
[root@xen-mail ~]# yum install fail2ban : ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k :
- 設定 Fail2Ban 參數檔案
vi /etc/fail2ban/fail2ban.conf : logtarget = /var/log/fail2ban.log :
- 設定 Fail2Ban 對 dovecot 的參數檔案
vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition] failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).*
vi /etc/fail2ban/jail.conf : : [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
- 新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
- 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
- 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)
- 設定 Fail2Ban 對 bind 的參數檔案
- 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式
- named.log 出現類似以下的狀況:
: 28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242) : 28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242) :
vi /etc/named.conf
: logging { channel Named_log { file "/var/log/named/named.log" versions unlimited; severity info; print-severity yes; print-time yes; }; category default {Named_log; }; category xfer-out {Named_log; }; category queries {Named_log; }; : :
- 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔
vi /etc/fail2ban/filter.d/named-refused.conf
: # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # #failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$ failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED* # Option: ignoreregex :
- 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]
vi /etc/fail2ban/jail.conf
: [named-refused-udp] enabled = true filter = named-refused action = iptables-multiport[name=Named, port="domain,53", protocol=udp] sendmail-whois[name=Named, [email protected]] #logpath = /var/log/named/security.log logpath = /var/log/named/named.log ignoreip = 192.168.11.0 bantime = 3600 :
- 設定 Fail2Ban 對 sendmail 的參數檔案
- 設定解決所出現 smtp 對 sendmail 攻擊
- /var/log/secure 內出現類似以下的訊息
: Jun 3 16:31:55 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar Jun 3 16:32:06 hp-mail saslauthd[3357]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar Jun 3 16:32:21 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar Jun 3 16:32:28 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar :
- /var/log/maillog 內出現類似以下的訊息
: Jun 3 16:31:06 hp-mail sendmail[1857]: s538V2ge001857: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 3 16:31:14 hp-mail sendmail[1859]: s538VAce001859: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA :
- 修改 /etc/fail2ban/filter.d/sendmail-smtp.conf 定義檔
vi /etc/fail2ban/filter.d/sendmail-smtp.conf
[Definition] failregex = \[<HOST>\] .*to MTA \[<HOST>\], reject.*\.\.\. Relaying denied \[<HOST>\] \(may be forged\) ignoreregex =
- 在 /etc/fail2ban/jail.conf 內設定啟用 [sendmail-smtp]
vi /etc/fail2ban/jail.conf
: [sendmail-smtp] enabled = true filter = sendmail-smtp action = iptables-multiport[name=sendmail-smtp, port="smtp", protocol=tcp] sendmail-whois[name=sendmail-smtp, [email protected], [email protected]] logpath = /var/log/maillog maxretry = 5 findtime = 1200 bantime = 12000 :
- 可以透過以下語法進行初步驗測, 看看和眼睛看到 maillog 的結果是否相同
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sendmail-smtp.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/sendmail-smtp.conf Use log file : /var/log/maillog Results ======= Failregex: 1853 total |- #) [# of hits] regular expression | 1) [1450] \[<HOST>\] .*to MTA | 2) [3] \[<HOST>\], reject.*\.\.\. Relaying denied | 3) [400] \[<HOST>\] \(may be forged\) `- Ignoreregex: 0 total Summary ======= Addresses found: [1] 92.222.133.43 (Sun Jun 01 05:01:27 2014) 92.222.133.43 (Sun Jun 01 05:28:26 2014) 92.222.133.43 (Sun Jun 01 05:47:26 2014) 92.222.133.43 (Sun Jun 01 06:30:26 2014) : : 95.81.228.63 (Tue Jun 03 17:54:08 2014) 204.44.123.253 (Tue Jun 03 18:02:06 2014) 222.124.108.103 (Tue Jun 03 18:09:12 2014) Date template hits: 163550 hit(s): MONTH Day Hour:Minute:Second Success, the total number of match is 1853 However, look at the above section 'Running tests' which could contain important information.
- 設定 Fail2Ban 對 openvpn 的參數檔案
- 設定解決所出現 openvpn 被攻擊的狀況
- /etc/openvpn/openvpn.log 內出現類似以下的訊息
: Tue Jun 10 18:57:41 2014 176.114.32.92:3509 WARNING: Bad encapsulated packet length from peer (36695), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Tue Jun 10 19:00:43 2014 58.60.243.60:26629 WARNING: Bad encapsulated packet length from peer (6598), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] :
- 修改 /etc/fail2ban/filter.d/openvpn.conf 定義檔
vi /etc/fail2ban/filter.d/openvpn.conf
[Definition] failregex = <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\] ignoreregex =
- 在 /etc/fail2ban/jail.conf 內設定啟用 [openvpn]
vi /etc/fail2ban/jail.conf
: [openvpn] enabled = true filter = openvpn action = iptables-multiport[name=openvpn, port="https", protocol=tcp] sendmail-whois[name=openvpn, [email protected], [email protected]] logpath = /etc/openvpn/openvpn.log maxretry = 3 findtime = 1200 bantime = 12000 :
- 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
fail2ban-regex /etc/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/openvpn.conf Use log file : /etc/openvpn/openvpn.log Results ======= Failregex: 11401 total |- #) [# of hits] regular expression | 1) [11401] <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\] `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [436556] WEEKDAY MONTH Day Hour:Minute:Second Year `- Lines: 436556 lines, 0 ignored, 11401 matched, 425155 missed Missed line(s):: too many to print. Use --print-all-missed to print all 425155 lines
- 設定 Fail2Ban 對 sshd 的參數檔案
- 設定解決所出現 sshd 被攻擊的狀況
- /var/log/secure 內出現類似以下的訊息
: Jun 9 03:35:33 kvm-vpn sshd[1709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbotrace.cmu.ac.th user=root Jun 9 03:35:36 kvm-vpn sshd[1712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=m.jumbomap.cmu.ac.th user=root Jun 9 03:35:39 kvm-vpn sshd[1715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fibermap.cmu.ac.th Jun 9 03:35:42 kvm-vpn sshd[1717]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbomap.cmu.ac.th Jun 9 03:35:46 kvm-vpn sshd[1719]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=register.jumbo.cmu.ac.th Jun 9 08:44:57 kvm-vpn sshd[2310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net Jun 9 08:45:01 kvm-vpn sshd[2312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net Jun 9 14:20:40 kvm-vpn sshd[2972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 Jun 9 14:20:43 kvm-vpn sshd[2974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 Jun 9 14:20:46 kvm-vpn sshd[2976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 14:20:48 kvm-vpn sshd[2979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 14:20:52 kvm-vpn sshd[2982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 14:20:54 kvm-vpn sshd[2985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 14:20:57 kvm-vpn sshd[2988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 14:21:01 kvm-vpn sshd[2991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root Jun 9 17:04:33 kvm-vpn sshd[3310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=145.24.222.140 user=root Jun 9 17:45:38 kvm-vpn sshd[3391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root Jun 9 17:45:49 kvm-vpn sshd[3392]: Disconnecting: Too many authentication failures for root Jun 9 17:45:49 kvm-vpn sshd[3391]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root Jun 10 01:05:26 kvm-vpn sshd[4286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.217 user=root Jun 10 01:05:39 kvm-vpn sshd[4287]: Disconnecting: Too many authentication failures for root :
- 修改 /etc/fail2ban/filter.d/sshd.conf 定義檔
vi /etc/fail2ban/filter.d/sshd.conf
[INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sBad protocol version identification .* from <HOST>\s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ignoreregex =
- 在 /etc/fail2ban/jail.conf 內設定啟用 [ssh-iptables]
vi /etc/fail2ban/jail.conf
: [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root] logpath = /var/log/secure maxretry = 5 :
- 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/secure Results ======= Failregex: 9 total |- #) [# of hits] regular expression | 3) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$ | 5) [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$ | 8) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ | 9) [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$ `- Ignoreregex: 0 total Summary ======= Addresses found: [3] 10.10.20.89 (Mon Jun 09 18:09:58 2014) 10.10.20.1 (Wed Jun 11 10:04:53 2014) [5] 10.10.20.1 (Wed Jun 11 10:04:49 2014) [8] 10.10.20.89 (Mon Jun 09 18:09:56 2014) 10.10.20.1 (Wed Jun 11 10:04:50 2014) [9] 10.10.20.1 (Tue Jun 10 10:17:32 2014) 10.10.20.1 (Tue Jun 10 10:17:45 2014) 10.10.20.1 (Tue Jun 10 15:30:07 2014) 10.10.20.1 (Tue Jun 10 17:27:29 2014) Date template hits: 449 hit(s): MONTH Day Hour:Minute:Second Success, the total number of match is 9 However, look at the above section 'Running tests' which could contain important information.
- 設定 Fail2Ban 對 apache 的參數檔案
- 設定解決所出現 apache 被攻擊的狀況
- /var/log/httpd/error_log 內出現類似以下的訊息
: [Sat Jun 30 04:09:24 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.8.3 [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.1 [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.2 [Tue Nov 29 10:50:12 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/admin [Tue Nov 29 10:50:13 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/db [Mon Dec 19 01:58:52 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/common [Mon Dec 19 01:58:53 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/community [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/pndegmsave.asp [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/gmsave.asp :
- 修改 /etc/fail2ban/filter.d/apache.conf 定義檔
vi /etc/fail2ban/filter.d/apache.conf
[Definition] _daemon = httpd failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl) ignoreregex =
- 在 /etc/fail2ban/jail.conf 內設定啟用 [apache]
vi /etc/fail2ban/jail.conf
: [apache] enabled = true filter = httpd action = iptables-multiport[name=apache, port="http,https", protocol=tcp] sendmail-whois[name=apache, dest=root, [email protected]] logpath = /var/log/httpd/errorlog maxretry = 3 :
- 可以透過以下語法進行初步驗測, 看看和眼睛看到 errorlog 的結果是否相同
fail2ban-regex /var/log/httpd/errorlog /etc/fail2ban/filter.d/apache.conf
- 開始啟動 Fail2Ban 服務
[root@xen-mail ~]# service fail2ban start Starting fail2ban: [ 確定 ] [root@xen-mail ~]# chkconfig fail2ban on [root@xen-mail ~]# chkconfig --list | grep fail2ban fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
- 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
- 查看 Fail2Ban 服務狀況
[root@xen-mail ~]# service fail2ban status Fail2ban (pid 19813) is running... Status |- Number of jail: 1 `- Jail list: dovecot-pop3imap
- 實際 Ban 的案例
- /var/log/maillog
: Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 :
- 使用 iptables –list 查看
Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination DROP all -- 198.24.142.139 anywhere RETURN all -- anywhere anywhere
當出現通知郵件的日期為 1970/1/1 08:00 的處理方式
- 這是因為 0.6.1 之後版本採用 locale 的時間格式, 造成信件 Header - Date: 出現如下
: Subject: [Fail2Ban] dovecot-pop3imap: banned 60.248.245.177 Date: �, 24 4� 2014 00:16:12 +0000 From: Fail2Ban <[email protected]> :
- 所以執行 fail2ban 前增加 LANG=en_US 即可解決 Exp.
LANG=en_US /etc/init.d/fail2ban restart
或是直接在 /etc/init.d/fail2ban 內增加 export LANG=en_US
#!/bin/bash # # chkconfig: 345 92 08 # description: Fail2ban daemon # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page # process name: fail2ban-server # # # Author: Tyler Owen # export LANG=en_US # Source function library. . /etc/init.d/functions # Check that the config file exists : :
- 因為 CentOS 6.x 預設不會安裝 whois 工具程式, 導致寄信出來並無法提供 IP 的註冊所屬資訊 Exp.
: Here is more information about 92.59.24.231: missing whois program :
- 可以透過手動安裝 jwhois 來解決
yum install jwhois