chun 2014-4-22 18:12
[轉貼]設定暴力破解阻絕 dovecot / bind 方式
http://www.ichiayi.com/wiki/tech/dovecot_fail2ban<br><div class="level1"><p>前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具. </p></div><h2 class="sectionedit2" id="安裝_fail2ban">- 安裝 Fail2Ban</h2><div class="level2"><pre class="xtermrtf">[root@xen-mail ~]# yum install fail2ban
:
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k
:
</pre></div><h2 class="sectionedit3" id="設定_fail2ban_參數檔案">- 設定 Fail2Ban 參數檔案</h2><div class="level2"><pre class="xtermrtf">vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:
</pre></div><h2 class="sectionedit4" id="設定_fail2ban_對_dovecot_的參數檔案">- 設定 Fail2Ban 對 dovecot 的參數檔案</h2><div class="level2"><pre class="xtermrtf">vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</pre><pre class="file">[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*</pre><pre class="xtermrtf">vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
</pre><div class="noteclassic"><ul><li class="level1"><div class="li">新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔</div></li><li class="level1"><div class="li"> 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]</div></li><li class="level1"><div class="li">調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)</div></li></ul></div></div><h2 class="sectionedit5" id="設定_fail2ban_對_bind_的參數檔案">- 設定 Fail2Ban 對 bind 的參數檔案</h2><div class="level2"><div class="noteclassic"><ul><li class="level1"><div class="li"> 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式</div></li><li class="level1"><div class="li">named.log 出現類似以下的狀況:<pre class="code">:
28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:</pre></div></li></ul></div><pre class="xtermrtf">vi /etc/named.conf
</pre><pre class="file">:
logging {
channel Named_log {
file "/var/log/named/named.log" versions unlimited;
severity info;
print-severity yes;
print-time yes; };
category default {Named_log; };
category xfer-out {Named_log; };
category queries {Named_log; };
:
:</pre><ul><li class="level1"><div class="li">修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔<pre class="file">:
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
#failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
# Option: ignoreregex
:</pre></div></li><li class="level1"><div class="li">在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp] <pre class="file">:
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,53", protocol=udp]
sendmail-whois[name=Named, dest=tryweb@ichiayi.com]
#logpath = /var/log/named/security.log
logpath = /var/log/named/named.log
ignoreip = 192.168.11.0
bantime = 3600
:</pre></div></li></ul></div><h2 class="sectionedit6" id="開始啟動_fail2ban_服務">- 開始啟動 Fail2Ban 服務</h2><div class="level2"><pre class="xtermrtf">[root@xen-mail ~]# service fail2ban start
Starting fail2ban: [ 確定 ]
[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
</pre><div class="noteclassic"><ul><li class="level1"><div class="li"> 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用<pre class="xtermrtf">[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
</pre></div></li></ul></div></div><h2 class="sectionedit7" id="查看_fail2ban_服務狀況">- 查看 Fail2Ban 服務狀況</h2><div class="level2"><pre class="xtermrtf">[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail: 1
`- Jail list: dovecot-pop3imap
</pre></div><h2 class="sectionedit8" id="實際_ban_的案例">- 實際 Ban 的案例</h2><div class="level2"><ul><li class="level1"><div class="li">/var/log/maillog<pre class="code">:
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
:</pre></div></li><li class="level1"><div class="li">使用 iptables –list 查看 <pre class="xtermrtf">Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
DROP all -- 198.24.142.139 anywhere
RETURN all -- anywhere anywhere
</pre></div></li></ul></div><h2 class="sectionedit9" id="參考資料網址">參考資料網址</h2><div class="level2"><ul><li class="level1"><div class="li"><a title="http://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package" class="urlextern" href="http://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package" target="wiki_ext_win" rel="nofollow">Blocking a DNS DDOS using the fail2ban package</a></div></li><li class="level1"><div class="li"><a title="http://richardjh.org/blog/blocking-brute-force-attacks-to-dovecot-on-centos/" class="urlextern" href="http://richardjh.org/blog/blocking-brute-force-attacks-to-dovecot-on-centos/" target="wiki_ext_win" rel="nofollow">Blocking brute force attacks to Dovecot on CentOS</a></div></li><li class="level1"><div class="li"><a title="http://blog.xuite.net/pippeng/blog/63675336" class="urlextern" href="http://blog.xuite.net/pippeng/blog/63675336" target="wiki_ext_win" rel="nofollow">http://blog.xuite.net/pippeng/blog/63675336</a></div></li><li class="level1"><div class="li"><a title="http://www.fail2ban.org/wiki/index.php/FAQ_english" class="urlextern" href="http://www.fail2ban.org/wiki/index.php/FAQ_english" target="wiki_ext_win" rel="nofollow">http://www.fail2ban.org/wiki/index.php/FAQ_english</a></div></li><li class="level1"><div class="li"><a title="http://forums.freebsd.org/archive/index.php/t-35896.html" class="urlextern" href="http://forums.freebsd.org/archive/index.php/t-35896.html" target="wiki_ext_win" rel="nofollow">http://forums.freebsd.org/archive/index.php/t-35896.html</a></div></li></ul></div><br>