發新話題
打印

[轉貼]設定暴力破解阻絕 dovecot / bind 方式

[轉貼]設定暴力破解阻絕 dovecot / bind 方式

http://www.ichiayi.com/wiki/tech/dovecot_fail2ban

前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.

- 安裝 Fail2Ban

[root@xen-mail ~]# yum install fail2ban
:
================================================================================
 Package          Arch           Version                 Repository        Size
================================================================================
Installing:
 fail2ban         noarch         0.8.2-3.el5.rf          rpmforge         125 k

:

- 設定 Fail2Ban 參數檔案

vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:

- 設定 Fail2Ban 對 dovecot 的參數檔案

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*
vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com]
logpath  = /var/log/maillog
maxretry = 20
findtime = 1200
bantime  = 1200
  • 新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
  • 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
  • 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)

- 設定 Fail2Ban 對 bind 的參數檔案

  • 主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式
  • named.log 出現類似以下的狀況:
    :
    28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    :
    28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
    :
vi /etc/named.conf
:
logging {
        channel Named_log {
                file "/var/log/named/named.log" versions unlimited;
                severity info;
                print-severity  yes;
                print-time yes; };
        category default {Named_log; };
        category xfer-out {Named_log; };
        category queries {Named_log; };
:
:
  • 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔
    :
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT
    #
    #failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
    failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
    
    # Option:  ignoreregex
    :
  • 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]
    :
    [named-refused-udp]
    
    enabled  = true
    filter   = named-refused
    action   = iptables-multiport[name=Named, port="domain,53", protocol=udp]
                sendmail-whois[name=Named, dest=tryweb@ichiayi.com]
    #logpath  = /var/log/named/security.log
    logpath  = /var/log/named/named.log
    ignoreip = 192.168.11.0
    bantime  = 3600
    :

- 開始啟動 Fail2Ban 服務

[root@xen-mail ~]# service fail2ban start
Starting fail2ban:                                         [  確定  ]

[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban        0:關閉  1:關閉  2:開啟  3:開啟  4:開啟  5:開啟  6:關閉

  • 如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
    [root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
    

- 查看 Fail2Ban 服務狀況

[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail:      1
`- Jail list:           dovecot-pop3imap

- 實際 Ban 的案例

  • /var/log/maillog
    :
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
    :
  • 使用 iptables –list 查看
    Every 2.0s: iptables --list                                                                                                           Thu Jan 17 08:14:56 2013
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination
    DROP       all  --  198.24.142.139       anywhere
    RETURN     all  --  anywhere             anywhere
    

參考資料網址


TOP

發新話題