====== 設定 Fail2Ban 阻絕暴力破解 dovecot / sendmail / bind / openvpn / ssh / apache 方式 ======
前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.
===== - 安裝 Fail2Ban =====
[root@xen-mail ~]# yum install fail2ban
:
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k
:
===== - 設定 Fail2Ban 參數檔案 =====
vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:
===== - 設定 Fail2Ban 對 dovecot 的參數檔案 =====
vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P\S*),.*
ignoreregex = (?: Disconnected: Logged out).*
vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
* 新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
* 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
* 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)
===== - 設定 Fail2Ban 對 bind 的參數檔案 =====
* 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式
* named.log 出現類似以下的狀況:
:
28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
vi /etc/named.conf
:
logging {
channel Named_log {
file "/var/log/named/named.log" versions unlimited;
severity info;
print-severity yes;
print-time yes; };
category default {Named_log; };
category xfer-out {Named_log; };
category queries {Named_log; };
:
:
* 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔
vi /etc/fail2ban/filter.d/named-refused.conf
:
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
#failregex = %(__line_prefix)sclient #.+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient #.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
# Option: ignoreregex
:
* 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]
vi /etc/fail2ban/jail.conf
:
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,53", protocol=udp]
sendmail-whois[name=Named, dest=tryweb@ichiayi.com]
#logpath = /var/log/named/security.log
logpath = /var/log/named/named.log
ignoreip = 192.168.11.0
bantime = 3600
:
===== - 設定 Fail2Ban 對 sendmail 的參數檔案 =====
* 設定解決所出現 smtp 對 sendmail 攻擊
* /var/log/secure 內出現類似以下的訊息
:
Jun 3 16:31:55 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar
Jun 3 16:32:06 hp-mail saslauthd[3357]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar
Jun 3 16:32:21 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar
Jun 3 16:32:28 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar
:
* /var/log/maillog 內出現類似以下的訊息
:
Jun 3 16:31:06 hp-mail sendmail[1857]: s538V2ge001857: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jun 3 16:31:14 hp-mail sendmail[1859]: s538VAce001859: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
:
* 修改 /etc/fail2ban/filter.d/sendmail-smtp.conf 定義檔
vi /etc/fail2ban/filter.d/sendmail-smtp.conf
[Definition]
failregex = \[\] .*to MTA
\[\], reject.*\.\.\. Relaying denied
\[\] \(may be forged\)
ignoreregex =
* 在 /etc/fail2ban/jail.conf 內設定啟用 [sendmail-smtp]
vi /etc/fail2ban/jail.conf
:
[sendmail-smtp]
enabled = true
filter = sendmail-smtp
action = iptables-multiport[name=sendmail-smtp, port="smtp", protocol=tcp]
sendmail-whois[name=sendmail-smtp, dest=tryweb@ichiayi.com, sender=jonathan@everplast.net]
logpath = /var/log/maillog
maxretry = 5
findtime = 1200
bantime = 12000
:
* 可以透過以下語法進行初步驗測, 看看和眼睛看到 maillog 的結果是否相同
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sendmail-smtp.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sendmail-smtp.conf
Use log file : /var/log/maillog
Results
=======
Failregex: 1853 total
|- #) [# of hits] regular expression
| 1) [1450] \[\] .*to MTA
| 2) [3] \[\], reject.*\.\.\. Relaying denied
| 3) [400] \[\] \(may be forged\)
`-
Ignoreregex: 0 total
Summary
=======
Addresses found:
[1]
92.222.133.43 (Sun Jun 01 05:01:27 2014)
92.222.133.43 (Sun Jun 01 05:28:26 2014)
92.222.133.43 (Sun Jun 01 05:47:26 2014)
92.222.133.43 (Sun Jun 01 06:30:26 2014)
:
:
95.81.228.63 (Tue Jun 03 17:54:08 2014)
204.44.123.253 (Tue Jun 03 18:02:06 2014)
222.124.108.103 (Tue Jun 03 18:09:12 2014)
Date template hits:
163550 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 1853
However, look at the above section 'Running tests' which could contain important
information.
===== - 設定 Fail2Ban 對 openvpn 的參數檔案 =====
* 設定解決所出現 openvpn 被攻擊的狀況
* /etc/openvpn/openvpn.log 內出現類似以下的訊息
:
Tue Jun 10 18:57:41 2014 176.114.32.92:3509 WARNING: Bad encapsulated packet length from peer (36695), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Jun 10 19:00:43 2014 58.60.243.60:26629 WARNING: Bad encapsulated packet length from peer (6598), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
:
* 修改 /etc/fail2ban/filter.d/openvpn.conf 定義檔
vi /etc/fail2ban/filter.d/openvpn.conf
[Definition]
failregex = :[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\]
ignoreregex =
* 在 /etc/fail2ban/jail.conf 內設定啟用 [openvpn]
vi /etc/fail2ban/jail.conf
:
[openvpn]
enabled = true
filter = openvpn
action = iptables-multiport[name=openvpn, port="https", protocol=tcp]
sendmail-whois[name=openvpn, dest=tryweb@ichiayi.com, sender=tryweb@ichiayi.com]
logpath = /etc/openvpn/openvpn.log
maxretry = 3
findtime = 1200
bantime = 12000
:
* 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
fail2ban-regex /etc/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/openvpn.conf
Use log file : /etc/openvpn/openvpn.log
Results
=======
Failregex: 11401 total
|- #) [# of hits] regular expression
| 1) [11401] :[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [436556] WEEKDAY MONTH Day Hour:Minute:Second Year
`-
Lines: 436556 lines, 0 ignored, 11401 matched, 425155 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 425155 lines
===== - 設定 Fail2Ban 對 sshd 的參數檔案 =====
* 設定解決所出現 sshd 被攻擊的狀況
* /var/log/secure 內出現類似以下的訊息
:
Jun 9 03:35:33 kvm-vpn sshd[1709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbotrace.cmu.ac.th user=root
Jun 9 03:35:36 kvm-vpn sshd[1712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=m.jumbomap.cmu.ac.th user=root
Jun 9 03:35:39 kvm-vpn sshd[1715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fibermap.cmu.ac.th
Jun 9 03:35:42 kvm-vpn sshd[1717]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbomap.cmu.ac.th
Jun 9 03:35:46 kvm-vpn sshd[1719]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=register.jumbo.cmu.ac.th
Jun 9 08:44:57 kvm-vpn sshd[2310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net
Jun 9 08:45:01 kvm-vpn sshd[2312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net
Jun 9 14:20:40 kvm-vpn sshd[2972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67
Jun 9 14:20:43 kvm-vpn sshd[2974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67
Jun 9 14:20:46 kvm-vpn sshd[2976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 14:20:48 kvm-vpn sshd[2979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 14:20:52 kvm-vpn sshd[2982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 14:20:54 kvm-vpn sshd[2985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 14:20:57 kvm-vpn sshd[2988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 14:21:01 kvm-vpn sshd[2991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root
Jun 9 17:04:33 kvm-vpn sshd[3310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=145.24.222.140 user=root
Jun 9 17:45:38 kvm-vpn sshd[3391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root
Jun 9 17:45:49 kvm-vpn sshd[3392]: Disconnecting: Too many authentication failures for root
Jun 9 17:45:49 kvm-vpn sshd[3391]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root
Jun 10 01:05:26 kvm-vpn sshd[4286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.217 user=root
Jun 10 01:05:39 kvm-vpn sshd[4287]: Disconnecting: Too many authentication failures for root
:
* 修改 /etc/fail2ban/filter.d/sshd.conf 定義檔
vi /etc/fail2ban/filter.d/sshd.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sBad protocol version identification .* from \s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$
^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(\)\s*$
^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$
ignoreregex =
* 在 /etc/fail2ban/jail.conf 內設定啟用 [ssh-iptables]
vi /etc/fail2ban/jail.conf
:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root]
logpath = /var/log/secure
maxretry = 5
:
* 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex: 9 total
|- #) [# of hits] regular expression
| 3) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?\s*$
| 5) [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from \s*$
| 8) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$
| 9) [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(\)\s*$
`-
Ignoreregex: 0 total
Summary
=======
Addresses found:
[3]
10.10.20.89 (Mon Jun 09 18:09:58 2014)
10.10.20.1 (Wed Jun 11 10:04:53 2014)
[5]
10.10.20.1 (Wed Jun 11 10:04:49 2014)
[8]
10.10.20.89 (Mon Jun 09 18:09:56 2014)
10.10.20.1 (Wed Jun 11 10:04:50 2014)
[9]
10.10.20.1 (Tue Jun 10 10:17:32 2014)
10.10.20.1 (Tue Jun 10 10:17:45 2014)
10.10.20.1 (Tue Jun 10 15:30:07 2014)
10.10.20.1 (Tue Jun 10 17:27:29 2014)
Date template hits:
449 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 9
However, look at the above section 'Running tests' which could contain important information.
===== - 設定 Fail2Ban 對 apache 的參數檔案 =====
* 設定解決所出現 apache 被攻擊的狀況
* /var/log/httpd/error_log 內出現類似以下的訊息
:
[Sat Jun 30 04:09:24 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.8.3
[Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.1
[Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.2
[Tue Nov 29 10:50:12 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/admin
[Tue Nov 29 10:50:13 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/db
[Mon Dec 19 01:58:52 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/common
[Mon Dec 19 01:58:53 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/community
[Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/pndegmsave.asp
[Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/gmsave.asp
:
* 修改 /etc/fail2ban/filter.d/apache.conf 定義檔
vi /etc/fail2ban/filter.d/apache.conf
[Definition]
_daemon = httpd
failregex = [[]client []] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
ignoreregex =
* 在 /etc/fail2ban/jail.conf 內設定啟用 [apache]
vi /etc/fail2ban/jail.conf
:
[apache]
enabled = true
filter = httpd
action = iptables-multiport[name=apache, port="http,https", protocol=tcp]
sendmail-whois[name=apache, dest=root, sender=tryweb@ichiayi.com]
logpath = /var/log/httpd/errorlog
maxretry = 3
:
* 可以透過以下語法進行初步驗測, 看看和眼睛看到 errorlog 的結果是否相同
fail2ban-regex /var/log/httpd/errorlog /etc/fail2ban/filter.d/apache.conf
===== - 開始啟動 Fail2Ban 服務 =====
[root@xen-mail ~]# service fail2ban start
Starting fail2ban: [ 確定 ]
[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
* 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
===== - 查看 Fail2Ban 服務狀況 =====
[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail: 1
`- Jail list: dovecot-pop3imap
===== - 實際 Ban 的案例 =====
* /var/log/maillog
:
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
:
* 使用 iptables --list 查看
Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
DROP all -- 198.24.142.139 anywhere
RETURN all -- anywhere anywhere
**當出現通知郵件的日期為 1970/1/1 08:00 的處理方式**
* 這是因為 0.6.1 之後版本採用 locale 的時間格式, 造成信件 Header - Date: 出現如下
:
Subject: [Fail2Ban] dovecot-pop3imap: banned 60.248.245.177
Date: �, 24 4� 2014 00:16:12 +0000
From: Fail2Ban
:
* 所以執行 fail2ban 前增加 LANG=en_US 即可解決 Exp.
LANG=en_US /etc/init.d/fail2ban restart
或是直接在 /etc/init.d/fail2ban 內增加 export LANG=en_US
#!/bin/bash
#
# chkconfig: 345 92 08
# description: Fail2ban daemon
# http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
# process name: fail2ban-server
#
#
# Author: Tyler Owen
#
export LANG=en_US
# Source function library.
. /etc/init.d/functions
# Check that the config file exists
:
:
* 因為 CentOS 6.x 預設不會安裝 whois 工具程式, 導致寄信出來並無法提供 IP 的註冊所屬資訊 Exp.
:
Here is more information about 92.59.24.231:
missing whois program
:
* 可以透過手動安裝 jwhois 來解決
yum install jwhois
===== 參考資料網址 =====
* [[http://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package|Blocking a DNS DDOS using the fail2ban package]]
* [[http://richardjh.org/blog/blocking-brute-force-attacks-to-dovecot-on-centos/|Blocking brute force attacks to Dovecot on CentOS]]
* http://blog.xuite.net/pippeng/blog/63675336
* http://www.fail2ban.org/wiki/index.php/FAQ_english
* http://forums.freebsd.org/archive/index.php/t-35896.html
* http://www.fail2ban.org/wiki/index.php/FAQ_english
* http://www.howtoforge.com/forums/archive/index.php/t-53104.html
* http://www.the-art-of-web.com/system/fail2ban-sendmail/
* http://www.fail2ban.org/wiki/index.php/OpenVPN
* http://www.fail2ban.org/wiki/index.php/Apache
{{tag>郵件 fail2ban dovecot sendmail bind named openvpn sshd apache}}