tech:dovecot_fail2ban

設定 Fail2Ban 阻絕暴力破解 dovecot / sendmail / bind / openvpn / ssh / apache 方式

前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.

- 安裝 Fail2Ban

[[email protected] ~]# yum install fail2ban
:
================================================================================
 Package          Arch           Version                 Repository        Size
================================================================================
Installing:
 fail2ban         noarch         0.8.2-3.el5.rf          rpmforge         125 k

:

- 設定 Fail2Ban 參數檔案

vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:

- 設定 Fail2Ban 對 dovecot 的參數檔案

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*

vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]]
logpath  = /var/log/maillog
maxretry = 20
findtime = 1200
bantime  = 1200

  • 新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
  • 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
  • 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)

- 設定 Fail2Ban 對 bind 的參數檔案

  • 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式
  • named.log 出現類似以下的狀況:
    :
    28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    :
    28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    :

vi /etc/named.conf

:
logging {
        channel Named_log {
                file "/var/log/named/named.log" versions unlimited;
                severity info;
                print-severity  yes;
                print-time yes; };
        category default {Named_log; };
        category xfer-out {Named_log; };
        category queries {Named_log; };
:
:
  • 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔
    vi /etc/fail2ban/filter.d/named-refused.conf
    
    :
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT
    #
    #failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
    failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
    
    # Option:  ignoreregex
    :
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]
    vi /etc/fail2ban/jail.conf
    
    :
    [named-refused-udp]
    
    enabled  = true
    filter   = named-refused
    action   = iptables-multiport[name=Named, port="domain,53", protocol=udp]
                sendmail-whois[name=Named, [email protected]]
    #logpath  = /var/log/named/security.log
    logpath  = /var/log/named/named.log
    ignoreip = 192.168.11.0
    bantime  = 3600
    :

- 設定 Fail2Ban 對 sendmail 的參數檔案

  • 設定解決所出現 smtp 對 sendmail 攻擊
  • /var/log/secure 內出現類似以下的訊息
    :
    Jun  3 16:31:55 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=everstar
    Jun  3 16:32:06 hp-mail saslauthd[3357]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=everstar
    Jun  3 16:32:21 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=everstar
    Jun  3 16:32:28 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=everstar
    :
    • /var/log/maillog 內出現類似以下的訊息
      :
      Jun  3 16:31:06 hp-mail sendmail[1857]: s538V2ge001857: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
      Jun  3 16:31:14 hp-mail sendmail[1859]: s538VAce001859: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
      :
  • 修改 /etc/fail2ban/filter.d/sendmail-smtp.conf 定義檔
    vi /etc/fail2ban/filter.d/sendmail-smtp.conf
    
    [Definition]
    failregex = \[<HOST>\] .*to MTA
                \[<HOST>\], reject.*\.\.\. Relaying denied
                \[<HOST>\] \(may be forged\)
    ignoreregex =
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [sendmail-smtp]
    vi /etc/fail2ban/jail.conf
    
    :
    [sendmail-smtp]
    enabled  = true
    filter   = sendmail-smtp
    action   = iptables-multiport[name=sendmail-smtp, port="smtp", protocol=tcp]
               sendmail-whois[name=sendmail-smtp, [email protected], [email protected]]
    logpath = /var/log/maillog
    maxretry = 5
    findtime = 1200
    bantime  = 12000
    :
  • 可以透過以下語法進行初步驗測, 看看和眼睛看到 maillog 的結果是否相同
    fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sendmail-smtp.conf
    
    Running tests
    =============
    
    Use regex file : /etc/fail2ban/filter.d/sendmail-smtp.conf
    Use log file   : /var/log/maillog
    
    
    Results
    =======
    
    Failregex: 1853 total
    |- #) [# of hits] regular expression
    |  1) [1450] \[<HOST>\] .*to MTA
    |  2) [3] \[<HOST>\], reject.*\.\.\. Relaying denied
    |  3) [400] \[<HOST>\] \(may be forged\)
    `-
    
    Ignoreregex: 0 total
    
    Summary
    =======
    
    Addresses found:
    [1]
        92.222.133.43 (Sun Jun 01 05:01:27 2014)
        92.222.133.43 (Sun Jun 01 05:28:26 2014)
        92.222.133.43 (Sun Jun 01 05:47:26 2014)
        92.222.133.43 (Sun Jun 01 06:30:26 2014)
    :
    :
        95.81.228.63 (Tue Jun 03 17:54:08 2014)
        204.44.123.253 (Tue Jun 03 18:02:06 2014)
        222.124.108.103 (Tue Jun 03 18:09:12 2014)
    
    Date template hits:
    163550 hit(s): MONTH Day Hour:Minute:Second
    
    Success, the total number of match is 1853
    
    However, look at the above section 'Running tests' which could contain important
    information.

- 設定 Fail2Ban 對 openvpn 的參數檔案

  • 設定解決所出現 openvpn 被攻擊的狀況
  • /etc/openvpn/openvpn.log 內出現類似以下的訊息
    :
    Tue Jun 10 18:57:41 2014 176.114.32.92:3509 WARNING: Bad encapsulated packet length from peer (36695), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Tue Jun 10 19:00:43 2014 58.60.243.60:26629 WARNING: Bad encapsulated packet length from peer (6598), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    :
  • 修改 /etc/fail2ban/filter.d/openvpn.conf 定義檔
    vi /etc/fail2ban/filter.d/openvpn.conf
    
    [Definition]
    failregex = <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\]
    ignoreregex =
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [openvpn]
    vi /etc/fail2ban/jail.conf
    
    :
    [openvpn]
    enabled  = true
    filter   = openvpn
    action   = iptables-multiport[name=openvpn, port="https", protocol=tcp]
               sendmail-whois[name=openvpn, [email protected], [email protected]]
    logpath = /etc/openvpn/openvpn.log
    maxretry = 3
    findtime = 1200
    bantime  = 12000
    :
  • 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
    fail2ban-regex /etc/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf
    
    Running tests
    =============
    
    Use   failregex file : /etc/fail2ban/filter.d/openvpn.conf
    Use         log file : /etc/openvpn/openvpn.log
    
    
    Results
    =======
    
    Failregex: 11401 total
    |-  #) [# of hits] regular expression
    |   1) [11401] <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\]
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [436556] WEEKDAY MONTH Day Hour:Minute:Second Year
    `-
    
    Lines: 436556 lines, 0 ignored, 11401 matched, 425155 missed
    Missed line(s):: too many to print.  Use --print-all-missed to print all 425155 lines

- 設定 Fail2Ban 對 sshd 的參數檔案

  • 設定解決所出現 sshd 被攻擊的狀況
  • /var/log/secure 內出現類似以下的訊息
    :
    Jun  9 03:35:33 kvm-vpn sshd[1709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbotrace.cmu.ac.th  user=root
    Jun  9 03:35:36 kvm-vpn sshd[1712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=m.jumbomap.cmu.ac.th  user=root
    Jun  9 03:35:39 kvm-vpn sshd[1715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fibermap.cmu.ac.th
    Jun  9 03:35:42 kvm-vpn sshd[1717]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbomap.cmu.ac.th
    Jun  9 03:35:46 kvm-vpn sshd[1719]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=register.jumbo.cmu.ac.th
    Jun  9 08:44:57 kvm-vpn sshd[2310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net
    Jun  9 08:45:01 kvm-vpn sshd[2312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net
    Jun  9 14:20:40 kvm-vpn sshd[2972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67
    Jun  9 14:20:43 kvm-vpn sshd[2974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67
    Jun  9 14:20:46 kvm-vpn sshd[2976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 14:20:48 kvm-vpn sshd[2979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 14:20:52 kvm-vpn sshd[2982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 14:20:54 kvm-vpn sshd[2985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 14:20:57 kvm-vpn sshd[2988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 14:21:01 kvm-vpn sshd[2991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67  user=root
    Jun  9 17:04:33 kvm-vpn sshd[3310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=145.24.222.140  user=root
    Jun  9 17:45:38 kvm-vpn sshd[3391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188  user=root
    Jun  9 17:45:49 kvm-vpn sshd[3392]: Disconnecting: Too many authentication failures for root
    Jun  9 17:45:49 kvm-vpn sshd[3391]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188  user=root
    Jun 10 01:05:26 kvm-vpn sshd[4286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.217  user=root
    Jun 10 01:05:39 kvm-vpn sshd[4287]: Disconnecting: Too many authentication failures for root
    :
  • 修改 /etc/fail2ban/filter.d/sshd.conf 定義檔
    vi /etc/fail2ban/filter.d/sshd.conf
    
    [INCLUDES]
    before = common.conf
    [Definition]
    _daemon = sshd
    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
                ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
                ^%(__prefix_line)sBad protocol version identification .* from <HOST>\s*$
                ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
                ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
                ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
                ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
                ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
                ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
                ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
                ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
                ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
    ignoreregex =
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [ssh-iptables]
    vi /etc/fail2ban/jail.conf
    
    :
    [ssh-iptables]
    
    enabled  = true
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=root]
    logpath  = /var/log/secure
    maxretry = 5
    :
  • 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
    fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
    
    Running tests
    =============
    
    Use regex file : /etc/fail2ban/filter.d/sshd.conf
    Use log file   : /var/log/secure
    
    
    Results
    =======
    
    Failregex: 9 total
    |- #) [# of hits] regular expression
    |  3) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
    |  5) [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
    |  8) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
    |  9) [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
    `-
    
    Ignoreregex: 0 total
    
    Summary
    =======
    
    Addresses found:
    [3]
        10.10.20.89 (Mon Jun 09 18:09:58 2014)
        10.10.20.1 (Wed Jun 11 10:04:53 2014)
    [5]
        10.10.20.1 (Wed Jun 11 10:04:49 2014)
    [8]
        10.10.20.89 (Mon Jun 09 18:09:56 2014)
        10.10.20.1 (Wed Jun 11 10:04:50 2014)
    [9]
        10.10.20.1 (Tue Jun 10 10:17:32 2014)
        10.10.20.1 (Tue Jun 10 10:17:45 2014)
        10.10.20.1 (Tue Jun 10 15:30:07 2014)
        10.10.20.1 (Tue Jun 10 17:27:29 2014)
    
    Date template hits:
    449 hit(s): MONTH Day Hour:Minute:Second
    
    Success, the total number of match is 9
    
    However, look at the above section 'Running tests' which could contain important information.

- 設定 Fail2Ban 對 apache 的參數檔案

  • 設定解決所出現 apache 被攻擊的狀況
  • /var/log/httpd/error_log 內出現類似以下的訊息
    :
    [Sat Jun 30 04:09:24 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.8.3
    [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.1
    [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.2
    [Tue Nov 29 10:50:12 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/admin
    [Tue Nov 29 10:50:13 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/db
    [Mon Dec 19 01:58:52 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/common
    [Mon Dec 19 01:58:53 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/community
    [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/pndegmsave.asp
    [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/gmsave.asp
     :
  • 修改 /etc/fail2ban/filter.d/apache.conf 定義檔
    vi /etc/fail2ban/filter.d/apache.conf
    
    [Definition]
    _daemon = httpd
    failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl) 
    ignoreregex =
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [apache]
    vi /etc/fail2ban/jail.conf
    
    :
    [apache]
    
    enabled  = true
    filter   = httpd
    action   = iptables-multiport[name=apache, port="http,https", protocol=tcp]
               sendmail-whois[name=apache, dest=root, [email protected]]
    logpath  = /var/log/httpd/errorlog
    maxretry = 3
    :
  • 可以透過以下語法進行初步驗測, 看看和眼睛看到 errorlog 的結果是否相同
    fail2ban-regex /var/log/httpd/errorlog /etc/fail2ban/filter.d/apache.conf
    
    
    

- 開始啟動 Fail2Ban 服務

[[email protected] ~]# service fail2ban start
Starting fail2ban:                                         [  確定  ]

[[email protected] ~]# chkconfig fail2ban on
[[email protected] ~]# chkconfig --list | grep fail2ban
fail2ban        0:關閉  1:關閉  2:開啟  3:開啟  4:開啟  5:開啟  6:關閉

  • 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
    [[email protected] ~]# LANG=en_US /etc/init.d/fail2ban restart
    

- 查看 Fail2Ban 服務狀況

[[email protected] ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail:      1
`- Jail list:           dovecot-pop3imap

- 實際 Ban 的案例

  • /var/log/maillog
    :
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    :
  • 使用 iptables –list 查看
    Every 2.0s: iptables --list                                                                                                           Thu Jan 17 08:14:56 2013
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination
    DROP       all  --  198.24.142.139       anywhere
    RETURN     all  --  anywhere             anywhere
    
當出現通知郵件的日期為 1970/1/1 08:00 的處理方式
  • 這是因為 0.6.1 之後版本採用 locale 的時間格式, 造成信件 Header - Date: 出現如下
    :
    Subject: [Fail2Ban] dovecot-pop3imap: banned 60.248.245.177
    Date: �, 24  4� 2014 00:16:12 +0000
    From: Fail2Ban <[email protected]>
    :
  • 所以執行 fail2ban 前增加 LANG=en_US 即可解決 Exp.
    LANG=en_US /etc/init.d/fail2ban restart

    或是直接在 /etc/init.d/fail2ban 內增加 export LANG=en_US

    #!/bin/bash
    #
    # chkconfig: 345 92 08
    # description: Fail2ban daemon
    #              http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
    # process name: fail2ban-server
    #
    #
    # Author: Tyler Owen
    #
    
    export LANG=en_US
    
    # Source function library.
    . /etc/init.d/functions
    
    # Check that the config file exists
    :
    :
  • 因為 CentOS 6.x 預設不會安裝 whois 工具程式, 導致寄信出來並無法提供 IP 的註冊所屬資訊 Exp.
    :
    Here is more information about 92.59.24.231:
    
    missing whois program
    :
  • 可以透過手動安裝 jwhois 來解決
    yum install jwhois

參考資料網址

tech/dovecot_fail2ban.txt · 上一次變更: 2015/03/05 14:25 由 jonathan