fail2ban

  • Category: 電腦相關
  • Last Updated: Wednesday, 24 December 2014 10:53
  • Published: Tuesday, 16 December 2014 11:53
  • Written by sam
  • Print

fail2ban用了許久

但只用到擋ssh的功能

早上一來發現postfix的訊息一直閃

Dec 16 09:10:31 cacti postfix/smtpd[3973]: lost connection after AUTH from 79.108.193.88.dyn.user.ono.com[79.108.193.88]
Dec 16 09:10:31 cacti postfix/smtpd[3973]: disconnect from 79.108.193.88.dyn.user.ono.com[79.108.193.88]
Dec 16 09:10:31 cacti postfix/smtpd[3973]: connect from 79.108.193.88.dyn.user.ono.com[79.108.193.88]
Dec 16 09:10:32 cacti postfix/smtpd[3973]: warning: 79.108.193.88.dyn.user.ono.com[79.108.193.88]: SASL LOGIN authentication failed: authentication failure

這次來設定一下加上「postfix」過濾的功能

CENTOS, POSTFIX, DOVECOT

以上是這次的環境

先安裝

yum install fail2ban

先修改

vi fail2ban.conf

將裡面的logtarget 獨立出一個檔案 (預設是放在message)

 

logtarget = /var/log/fail2banSam.log

 

到以下目錄新增三個檔案以供使用

/etc/fail2ban/filter.d

 

[root@cacti filter.d]# cat dovecot-pop3imapsam.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

 

[root@cacti filter.d]# cat dovecot-mailsam.conf
[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*

 

[root@cacti filter.d]# cat dovecot-securesam.conf
[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
failregex =  (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
ignoreregex =

以上內容都可以自行修改(字串的過濾)

目的是過濾/var/log/maillog 這個檔案的記錄

所以要依自己的log記錄位置更改

修改

[root@cacti fail2ban]# vi jail.conf
[root@cacti fail2ban]# pwd
/etc/fail2ban

裡面的dest自行修改一下(當然還要再修改其它檔案以期能順利發信)

# This jail is Dovecot Pop3
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imapsam
action = iptables-multiport[name=dovecot-pop3imap, port="smtp,pop3,imap", protocol=tcp]
         sendmail-whois[name=Dovecot, dest=This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/maillog
maxretry = 10
bantime = 1200
findtime = 1200

[dovecot-secure]
enabled = true
filter = dovecot-securesam
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-secure, dest=This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/secure
maxretry = 10
findtime= 600
bantime= 7200


[dovecot-mail]
enabled = true
filter = dovecot-mailsam
action = iptables-multiport[name=dovecot-mail, port="smtp,pop3,imap", protocol=tcp]
          sendmail-whois[name=Dovecot-Mail, dest=This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/maillog
maxretry = 10
findtime = 600
# Ban time is in seconds. 60 * 60 = 3600 seconds = 1hr. * 2 = 7200 seconds
bantime = 7200

修改一下回覆地址

[root@cacti action.d]# pwd
/etc/fail2ban/action.d
[root@cacti action.d]# cat sendmail-common.conf
# Fail2Ban configuration file
#
# Common settings for sendmail actions
#
# Users can override the defaults in sendmail-common.local

[INCLUDES]

after = sendmail-common.local

[Init]

# Recipient mail address
#
dest = This email address is being protected from spambots. You need JavaScript enabled to view it.

# Sender mail address
#
sender = This email address is being protected from spambots. You need JavaScript enabled to view it.

# Sender display name
#
sendername = Fail2Ban

啟動一下

service fail2ban start

開機啟動

chkconfig fail2ban on

查看目前的執行狀態

可以看到目前有三條規格

[root@cacti fail2ban]# fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:           dovecot-pop3imap, dovecot-mail, dovecot-secure

如果要看詳細的訊息

可以使用

[root@cacti fail2ban]# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- filter
|  |- File list:        /var/log/maillog
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

正常的話,會收到如下的信件(啟動時)

photo 2014-12-16_113019_zps30f3288f.png

#20141224 修改一下不列入計算ip(white list)

 

[root@cacti fail2ban]# cat jail.conf |grep ignoreip
ignoreip = 127.0.0.1/8 192.168.1.16

 

修改上面那一行即可