http://www.ichiayi.com/wiki/tech/dovecot_fail2ban
前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.
- 安裝 Fail2Ban
[root@xen-mail ~]# yum install fail2ban
:
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k
:
- 設定 Fail2Ban 參數檔案
vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:
- 設定 Fail2Ban 對 dovecot 的參數檔案
vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*
vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=root, sender=[email protected]]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)
- 設定 Fail2Ban 對 bind 的參數檔案
主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式
named.log 出現類似以下的狀況:
:
28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
vi /etc/named.conf
:
logging {
channel Named_log {
file "/var/log/named/named.log" versions unlimited;
severity info;
print-severity yes;
print-time yes; };
category default {Named_log; };
category xfer-out {Named_log; };
category queries {Named_log; };
:
:
修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔
:
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
#failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
# Option: ignoreregex
:
在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]
:
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,53", protocol=udp]
sendmail-whois[name=Named, dest=[email protected]]
#logpath = /var/log/named/security.log
logpath = /var/log/named/named.log
ignoreip = 192.168.11.0
bantime = 3600
:
- 開始啟動 Fail2Ban 服務
[root@xen-mail ~]# service fail2ban start
Starting fail2ban: [ 確定 ]
[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
- 查看 Fail2Ban 服務狀況
[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail: 1
`- Jail list: dovecot-pop3imap
- 實際 Ban 的案例
/var/log/maillog
:
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
:
使用 iptables –list 查看
Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
DROP all -- 198.24.142.139 anywhere
RETURN all -- anywhere anywhere
參考資料網址
Blocking a DNS DDOS using the fail2ban package
Blocking brute force attacks to Dovecot on CentOS
http://blog.xuite.net/pippeng/blog/63675336
http://www.fail2ban.org/wiki/index.php/FAQ_english
http://forums.freebsd.org/archive/index ... 35896.html
[轉貼]設定暴力破解阻絕 dovecot / bind 方式
版主: stnet253
誰在線上
正在瀏覽這個版面的使用者:沒有註冊會員 和 1 位訪客