| 兩邊的前次修訂版 前次修改
下次修改 | 前次修改
|
| tech:dovecot_fail2ban [2014/06/03 17:13] – [- 設定 Fail2Ban 對 smtp 的參數檔案] jonathan | tech:dovecot_fail2ban [2021/01/16 14:40] (目前版本) – 更換 plugin jonathan |
|---|
| | ====== 設定 Fail2Ban 阻絕暴力破解 dovecot / sendmail / bind / openvpn / ssh / apache 方式 ====== |
| | 前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具. |
| |
| | ===== - 安裝 Fail2Ban ===== |
| | <cli> |
| | [root@xen-mail ~]# yum install fail2ban |
| | : |
| | ================================================================================ |
| | Package Arch Version Repository Size |
| | ================================================================================ |
| | Installing: |
| | fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k |
| | |
| | : |
| | </cli> |
| | |
| | ===== - 設定 Fail2Ban 參數檔案 ===== |
| | <cli> |
| | vi /etc/fail2ban/fail2ban.conf |
| | : |
| | logtarget = /var/log/fail2ban.log |
| | : |
| | </cli> |
| | |
| | ===== - 設定 Fail2Ban 對 dovecot 的參數檔案 ===== |
| | <cli> |
| | vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf |
| | </cli> |
| | <file> |
| | [Definition] |
| | failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* |
| | ignoreregex = (?: Disconnected: Logged out).* |
| | </file> |
| | |
| | <cli> |
| | vi /etc/fail2ban/jail.conf |
| | : |
| | : |
| | [dovecot-pop3imap] |
| | enabled = true |
| | filter = dovecot-pop3imap |
| | action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] |
| | sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]] |
| | logpath = /var/log/maillog |
| | maxretry = 20 |
| | findtime = 1200 |
| | bantime = 1200 |
| | </cli> |
| | <note> |
| | * 新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔 |
| | * 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap] |
| | * 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人) |
| | </note> |
| | |
| | ===== - 設定 Fail2Ban 對 bind 的參數檔案 ===== |
| | <note> |
| | * 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式 |
| | * named.log 出現類似以下的狀況:<code> |
| | : |
| | 28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | 28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | 28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | : |
| | 28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | 28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | 28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242) |
| | : |
| | </code> |
| | </note> |
| | <cli> |
| | vi /etc/named.conf |
| | </cli><file> |
| | : |
| | logging { |
| | channel Named_log { |
| | file "/var/log/named/named.log" versions unlimited; |
| | severity info; |
| | print-severity yes; |
| | print-time yes; }; |
| | category default {Named_log; }; |
| | category xfer-out {Named_log; }; |
| | category queries {Named_log; }; |
| | : |
| | : |
| | </file> |
| | |
| | * 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔<cli> |
| | vi /etc/fail2ban/filter.d/named-refused.conf |
| | </cli><file> |
| | : |
| | # Option: failregex |
| | # Notes.: regex to match the password failures messages in the logfile. |
| | # Values: TEXT |
| | # |
| | #failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$ |
| | failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED* |
| | |
| | # Option: ignoreregex |
| | : |
| | </file> |
| | * 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp] <cli> |
| | vi /etc/fail2ban/jail.conf |
| | </cli><file> |
| | : |
| | [named-refused-udp] |
| | |
| | enabled = true |
| | filter = named-refused |
| | action = iptables-multiport[name=Named, port="domain,53", protocol=udp] |
| | sendmail-whois[name=Named, [email protected]] |
| | #logpath = /var/log/named/security.log |
| | logpath = /var/log/named/named.log |
| | ignoreip = 192.168.11.0 |
| | bantime = 3600 |
| | : |
| | </file> |
| | |
| | ===== - 設定 Fail2Ban 對 sendmail 的參數檔案 ===== |
| | <note> |
| | * 設定解決所出現 smtp 對 sendmail 攻擊 |
| | * /var/log/secure 內出現類似以下的訊息<file> |
| | : |
| | Jun 3 16:31:55 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar |
| | Jun 3 16:32:06 hp-mail saslauthd[3357]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar |
| | Jun 3 16:32:21 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar |
| | Jun 3 16:32:28 hp-mail saslauthd[3356]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=everstar |
| | : |
| | </file> |
| | * /var/log/maillog 內出現類似以下的訊息<file> |
| | : |
| | Jun 3 16:31:06 hp-mail sendmail[1857]: s538V2ge001857: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA |
| | Jun 3 16:31:14 hp-mail sendmail[1859]: s538VAce001859: [114.97.113.212] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA |
| | : |
| | </file> |
| | </note> |
| | |
| | * 修改 /etc/fail2ban/filter.d/sendmail-smtp.conf 定義檔<cli> |
| | vi /etc/fail2ban/filter.d/sendmail-smtp.conf |
| | </cli><file> |
| | [Definition] |
| | failregex = \[<HOST>\] .*to MTA |
| | \[<HOST>\], reject.*\.\.\. Relaying denied |
| | \[<HOST>\] \(may be forged\) |
| | ignoreregex = |
| | </file> |
| | |
| | * 在 /etc/fail2ban/jail.conf 內設定啟用 [sendmail-smtp] <cli> |
| | vi /etc/fail2ban/jail.conf |
| | </cli><file> |
| | : |
| | [sendmail-smtp] |
| | enabled = true |
| | filter = sendmail-smtp |
| | action = iptables-multiport[name=sendmail-smtp, port="smtp", protocol=tcp] |
| | sendmail-whois[name=sendmail-smtp, [email protected], [email protected]] |
| | logpath = /var/log/maillog |
| | maxretry = 5 |
| | findtime = 1200 |
| | bantime = 12000 |
| | : |
| | </file> |
| | |
| | <note> |
| | * 可以透過以下語法進行初步驗測, 看看和眼睛看到 maillog 的結果是否相同 <cli> |
| | fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sendmail-smtp.conf |
| | </cli><file> |
| | Running tests |
| | ============= |
| | |
| | Use regex file : /etc/fail2ban/filter.d/sendmail-smtp.conf |
| | Use log file : /var/log/maillog |
| | |
| | |
| | Results |
| | ======= |
| | |
| | Failregex: 1853 total |
| | |- #) [# of hits] regular expression |
| | | 1) [1450] \[<HOST>\] .*to MTA |
| | | 2) [3] \[<HOST>\], reject.*\.\.\. Relaying denied |
| | | 3) [400] \[<HOST>\] \(may be forged\) |
| | `- |
| | |
| | Ignoreregex: 0 total |
| | |
| | Summary |
| | ======= |
| | |
| | Addresses found: |
| | [1] |
| | 92.222.133.43 (Sun Jun 01 05:01:27 2014) |
| | 92.222.133.43 (Sun Jun 01 05:28:26 2014) |
| | 92.222.133.43 (Sun Jun 01 05:47:26 2014) |
| | 92.222.133.43 (Sun Jun 01 06:30:26 2014) |
| | : |
| | : |
| | 95.81.228.63 (Tue Jun 03 17:54:08 2014) |
| | 204.44.123.253 (Tue Jun 03 18:02:06 2014) |
| | 222.124.108.103 (Tue Jun 03 18:09:12 2014) |
| | |
| | Date template hits: |
| | 163550 hit(s): MONTH Day Hour:Minute:Second |
| | |
| | Success, the total number of match is 1853 |
| | |
| | However, look at the above section 'Running tests' which could contain important |
| | information. |
| | </file> |
| | </note> |
| | |
| | ===== - 設定 Fail2Ban 對 openvpn 的參數檔案 ===== |
| | <note> |
| | * 設定解決所出現 openvpn 被攻擊的狀況 |
| | * /etc/openvpn/openvpn.log 內出現類似以下的訊息<file> |
| | : |
| | Tue Jun 10 18:57:41 2014 176.114.32.92:3509 WARNING: Bad encapsulated packet length from peer (36695), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] |
| | Tue Jun 10 19:00:43 2014 58.60.243.60:26629 WARNING: Bad encapsulated packet length from peer (6598), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] |
| | : |
| | </file> |
| | </note> |
| | |
| | * 修改 /etc/fail2ban/filter.d/openvpn.conf 定義檔<cli> |
| | vi /etc/fail2ban/filter.d/openvpn.conf |
| | </cli><file> |
| | [Definition] |
| | failregex = <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\] |
| | ignoreregex = |
| | </file> |
| | |
| | * 在 /etc/fail2ban/jail.conf 內設定啟用 [openvpn] <cli> |
| | vi /etc/fail2ban/jail.conf |
| | </cli><file> |
| | : |
| | [openvpn] |
| | enabled = true |
| | filter = openvpn |
| | action = iptables-multiport[name=openvpn, port="https", protocol=tcp] |
| | sendmail-whois[name=openvpn, [email protected], [email protected]] |
| | logpath = /etc/openvpn/openvpn.log |
| | maxretry = 3 |
| | findtime = 1200 |
| | bantime = 12000 |
| | : |
| | </file> |
| | |
| | <note> |
| | * 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同 <cli> |
| | fail2ban-regex /etc/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf |
| | </cli><file> |
| | Running tests |
| | ============= |
| | |
| | Use failregex file : /etc/fail2ban/filter.d/openvpn.conf |
| | Use log file : /etc/openvpn/openvpn.log |
| | |
| | |
| | Results |
| | ======= |
| | |
| | Failregex: 11401 total |
| | |- #) [# of hits] regular expression |
| | | 1) [11401] <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\] |
| | `- |
| | |
| | Ignoreregex: 0 total |
| | |
| | Date template hits: |
| | |- [# of hits] date format |
| | | [436556] WEEKDAY MONTH Day Hour:Minute:Second Year |
| | `- |
| | |
| | Lines: 436556 lines, 0 ignored, 11401 matched, 425155 missed |
| | Missed line(s):: too many to print. Use --print-all-missed to print all 425155 lines |
| | </file> |
| | </note> |
| | |
| | ===== - 設定 Fail2Ban 對 sshd 的參數檔案 ===== |
| | <note> |
| | * 設定解決所出現 sshd 被攻擊的狀況 |
| | * /var/log/secure 內出現類似以下的訊息<file> |
| | : |
| | Jun 9 03:35:33 kvm-vpn sshd[1709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbotrace.cmu.ac.th user=root |
| | Jun 9 03:35:36 kvm-vpn sshd[1712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=m.jumbomap.cmu.ac.th user=root |
| | Jun 9 03:35:39 kvm-vpn sshd[1715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fibermap.cmu.ac.th |
| | Jun 9 03:35:42 kvm-vpn sshd[1717]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumbomap.cmu.ac.th |
| | Jun 9 03:35:46 kvm-vpn sshd[1719]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=register.jumbo.cmu.ac.th |
| | Jun 9 08:44:57 kvm-vpn sshd[2310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net |
| | Jun 9 08:45:01 kvm-vpn sshd[2312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-98-190-1-101.ks.ks.cox.net |
| | Jun 9 14:20:40 kvm-vpn sshd[2972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 |
| | Jun 9 14:20:43 kvm-vpn sshd[2974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 |
| | Jun 9 14:20:46 kvm-vpn sshd[2976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 14:20:48 kvm-vpn sshd[2979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 14:20:52 kvm-vpn sshd[2982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 14:20:54 kvm-vpn sshd[2985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 14:20:57 kvm-vpn sshd[2988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 14:21:01 kvm-vpn sshd[2991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.83.131.67 user=root |
| | Jun 9 17:04:33 kvm-vpn sshd[3310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=145.24.222.140 user=root |
| | Jun 9 17:45:38 kvm-vpn sshd[3391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root |
| | Jun 9 17:45:49 kvm-vpn sshd[3392]: Disconnecting: Too many authentication failures for root |
| | Jun 9 17:45:49 kvm-vpn sshd[3391]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.188 user=root |
| | Jun 10 01:05:26 kvm-vpn sshd[4286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.217 user=root |
| | Jun 10 01:05:39 kvm-vpn sshd[4287]: Disconnecting: Too many authentication failures for root |
| | : |
| | </file> |
| | </note> |
| | |
| | * 修改 /etc/fail2ban/filter.d/sshd.conf 定義檔<cli> |
| | vi /etc/fail2ban/filter.d/sshd.conf |
| | </cli><file> |
| | [INCLUDES] |
| | before = common.conf |
| | [Definition] |
| | _daemon = sshd |
| | failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ |
| | ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ |
| | ^%(__prefix_line)sBad protocol version identification .* from <HOST>\s*$ |
| | ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$ |
| | ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ |
| | ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ |
| | ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ |
| | ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ |
| | ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ |
| | ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ |
| | ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ |
| | ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ |
| | ignoreregex = |
| | </file> |
| | |
| | * 在 /etc/fail2ban/jail.conf 內設定啟用 [ssh-iptables] <cli> |
| | vi /etc/fail2ban/jail.conf |
| | </cli><file> |
| | : |
| | [ssh-iptables] |
| | |
| | enabled = true |
| | filter = sshd |
| | action = iptables[name=SSH, port=ssh, protocol=tcp] |
| | sendmail-whois[name=SSH, dest=root] |
| | logpath = /var/log/secure |
| | maxretry = 5 |
| | : |
| | </file> |
| | |
| | <note> |
| | * 可以透過以下語法進行初步驗測, 看看和眼睛看到 openvpn.log 的結果是否相同 <cli> |
| | fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf |
| | </cli><file> |
| | Running tests |
| | ============= |
| | |
| | Use regex file : /etc/fail2ban/filter.d/sshd.conf |
| | Use log file : /var/log/secure |
| | |
| | |
| | Results |
| | ======= |
| | |
| | Failregex: 9 total |
| | |- #) [# of hits] regular expression |
| | | 3) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$ |
| | | 5) [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$ |
| | | 8) [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ |
| | | 9) [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$ |
| | `- |
| | |
| | Ignoreregex: 0 total |
| | |
| | Summary |
| | ======= |
| | |
| | Addresses found: |
| | [3] |
| | 10.10.20.89 (Mon Jun 09 18:09:58 2014) |
| | 10.10.20.1 (Wed Jun 11 10:04:53 2014) |
| | [5] |
| | 10.10.20.1 (Wed Jun 11 10:04:49 2014) |
| | [8] |
| | 10.10.20.89 (Mon Jun 09 18:09:56 2014) |
| | 10.10.20.1 (Wed Jun 11 10:04:50 2014) |
| | [9] |
| | 10.10.20.1 (Tue Jun 10 10:17:32 2014) |
| | 10.10.20.1 (Tue Jun 10 10:17:45 2014) |
| | 10.10.20.1 (Tue Jun 10 15:30:07 2014) |
| | 10.10.20.1 (Tue Jun 10 17:27:29 2014) |
| | |
| | Date template hits: |
| | 449 hit(s): MONTH Day Hour:Minute:Second |
| | |
| | Success, the total number of match is 9 |
| | |
| | However, look at the above section 'Running tests' which could contain important information. |
| | </file> |
| | </note> |
| | |
| | ===== - 設定 Fail2Ban 對 apache 的參數檔案 ===== |
| | <note> |
| | * 設定解決所出現 apache 被攻擊的狀況 |
| | * /var/log/httpd/error_log 內出現類似以下的訊息<file> |
| | : |
| | [Sat Jun 30 04:09:24 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.8.3 |
| | [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.1 |
| | [Sat Jun 30 04:09:30 2012] [error] [client 118.142.43.102] File does not exist: /data/www/html/phpMyAdmin-2.9.2 |
| | [Tue Nov 29 10:50:12 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/admin |
| | [Tue Nov 29 10:50:13 2011] [error] [client 188.40.53.213] File does not exist: /data/www/html/db |
| | [Mon Dec 19 01:58:52 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/common |
| | [Mon Dec 19 01:58:53 2011] [error] [client 217.160.79.6] File does not exist: /data/www/html/community |
| | [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/pndegmsave.asp |
| | [Wed Jan 25 15:44:14 2012] [error] [client 218.61.18.253] File does not exist: /data/www/html/gmsave.asp |
| | : |
| | </file> |
| | </note> |
| | |
| | * 修改 /etc/fail2ban/filter.d/apache.conf 定義檔<cli> |
| | vi /etc/fail2ban/filter.d/apache.conf |
| | </cli><file> |
| | [Definition] |
| | _daemon = httpd |
| | failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl) |
| | ignoreregex = |
| | </file> |
| | |
| | * 在 /etc/fail2ban/jail.conf 內設定啟用 [apache] <cli> |
| | vi /etc/fail2ban/jail.conf |
| | </cli><file> |
| | : |
| | [apache] |
| | |
| | enabled = true |
| | filter = httpd |
| | action = iptables-multiport[name=apache, port="http,https", protocol=tcp] |
| | sendmail-whois[name=apache, dest=root, [email protected]] |
| | logpath = /var/log/httpd/errorlog |
| | maxretry = 3 |
| | : |
| | </file> |
| | |
| | <note> |
| | * 可以透過以下語法進行初步驗測, 看看和眼睛看到 errorlog 的結果是否相同 <cli> |
| | fail2ban-regex /var/log/httpd/errorlog /etc/fail2ban/filter.d/apache.conf |
| | </cli><file> |
| | |
| | </file> |
| | </note> |
| | |
| | ===== - 開始啟動 Fail2Ban 服務 ===== |
| | <cli> |
| | [root@xen-mail ~]# service fail2ban start |
| | Starting fail2ban: [ 確定 ] |
| | |
| | [root@xen-mail ~]# chkconfig fail2ban on |
| | [root@xen-mail ~]# chkconfig --list | grep fail2ban |
| | fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉 |
| | |
| | </cli> |
| | |
| | <note> |
| | * 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用<cli> |
| | [root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart |
| | </cli> |
| | </note> |
| | ===== - 查看 Fail2Ban 服務狀況 ===== |
| | <cli> |
| | [root@xen-mail ~]# service fail2ban status |
| | Fail2ban (pid 19813) is running... |
| | Status |
| | |- Number of jail: 1 |
| | `- Jail list: dovecot-pop3imap |
| | |
| | </cli> |
| | |
| | ===== - 實際 Ban 的案例 ===== |
| | * /var/log/maillog<code> |
| | : |
| | Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 |
| | : |
| | </code> |
| | * 使用 iptables --list 查看 <cli> |
| | Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013 |
| | |
| | Chain INPUT (policy ACCEPT) |
| | target prot opt source destination |
| | fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps |
| | ACCEPT udp -- anywhere anywhere udp dpt:domain |
| | ACCEPT tcp -- anywhere anywhere tcp dpt:domain |
| | ACCEPT udp -- anywhere anywhere udp dpt:bootps |
| | ACCEPT tcp -- anywhere anywhere tcp dpt:bootps |
| | |
| | Chain FORWARD (policy ACCEPT) |
| | target prot opt source destination |
| | ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED |
| | ACCEPT all -- 192.168.122.0/24 anywhere |
| | ACCEPT all -- anywhere anywhere |
| | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable |
| | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable |
| | |
| | Chain OUTPUT (policy ACCEPT) |
| | target prot opt source destination |
| | |
| | Chain fail2ban-dovecot-pop3imap (1 references) |
| | target prot opt source destination |
| | DROP all -- 198.24.142.139 anywhere |
| | RETURN all -- anywhere anywhere |
| | </cli> |
| | |
| | |
| | <note important> |
| | **當出現通知郵件的日期為 1970/1/1 08:00 的處理方式** |
| | * 這是因為 0.6.1 之後版本採用 locale 的時間格式, 造成信件 Header - Date: 出現如下 <code> |
| | : |
| | Subject: [Fail2Ban] dovecot-pop3imap: banned 60.248.245.177 |
| | Date: �, 24 4� 2014 00:16:12 +0000 |
| | From: Fail2Ban <[email protected]> |
| | : |
| | </code> |
| | * 所以執行 fail2ban 前增加 LANG=en_US 即可解決 Exp.<code sh> |
| | LANG=en_US /etc/init.d/fail2ban restart |
| | </code>或是直接在 /etc/init.d/fail2ban 內增加 export LANG=en_US<file> |
| | #!/bin/bash |
| | # |
| | # chkconfig: 345 92 08 |
| | # description: Fail2ban daemon |
| | # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page |
| | # process name: fail2ban-server |
| | # |
| | # |
| | # Author: Tyler Owen |
| | # |
| | |
| | export LANG=en_US |
| | |
| | # Source function library. |
| | . /etc/init.d/functions |
| | |
| | # Check that the config file exists |
| | : |
| | : |
| | </file> |
| | </note> |
| | |
| | <note> |
| | * 因為 CentOS 6.x 預設不會安裝 whois 工具程式, 導致寄信出來並無法提供 IP 的註冊所屬資訊 Exp.<code> |
| | : |
| | Here is more information about 92.59.24.231: |
| | |
| | missing whois program |
| | : |
| | </code> |
| | * 可以透過手動安裝 jwhois 來解決<code sh> |
| | yum install jwhois |
| | </code> |
| | </note> |
| | |
| | ===== 參考資料網址 ===== |
| | * [[http://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package|Blocking a DNS DDOS using the fail2ban package]] |
| | * [[http://richardjh.org/blog/blocking-brute-force-attacks-to-dovecot-on-centos/|Blocking brute force attacks to Dovecot on CentOS]] |
| | * http://blog.xuite.net/pippeng/blog/63675336 |
| | * http://www.fail2ban.org/wiki/index.php/FAQ_english |
| | * http://forums.freebsd.org/archive/index.php/t-35896.html |
| | * http://www.fail2ban.org/wiki/index.php/FAQ_english |
| | * http://www.howtoforge.com/forums/archive/index.php/t-53104.html |
| | * http://www.the-art-of-web.com/system/fail2ban-sendmail/ |
| | * http://www.fail2ban.org/wiki/index.php/OpenVPN |
| | * http://www.fail2ban.org/wiki/index.php/Apache |
| | |
| | {{tag>郵件 fail2ban dovecot sendmail bind named openvpn sshd apache}} |