管理員
|
1#
大 中
小 發表於 2014-4-22 18:12 只看該作者
[轉貼]設定暴力破解阻絕 dovecot / bind 方式
http://www.ichiayi.com/wiki/tech/dovecot_fail2ban 前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具. - 安裝 Fail2Ban[root@xen-mail ~]# yum install fail2ban
:
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k
:
- 設定 Fail2Ban 參數檔案vi /etc/fail2ban/fail2ban.conf
:
logtarget = /var/log/fail2ban.log
:
- 設定 Fail2Ban 對 dovecot 的參數檔案vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).* vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔 在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap] 調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)
- 設定 Fail2Ban 對 bind 的參數檔案vi /etc/named.conf
:
logging {
channel Named_log {
file "/var/log/named/named.log" versions unlimited;
severity info;
print-severity yes;
print-time yes; };
category default {Named_log; };
category xfer-out {Named_log; };
category queries {Named_log; };
:
: 修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔 :
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
#failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*
# Option: ignoreregex
: 在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp] :
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,53", protocol=udp]
sendmail-whois[name=Named, dest=tryweb@ichiayi.com]
#logpath = /var/log/named/security.log
logpath = /var/log/named/named.log
ignoreip = 192.168.11.0
bantime = 3600
:
- 開始啟動 Fail2Ban 服務[root@xen-mail ~]# service fail2ban start
Starting fail2ban: [ 確定 ]
[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用 [root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
- 查看 Fail2Ban 服務狀況[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail: 1
`- Jail list: dovecot-pop3imap
- 實際 Ban 的案例/var/log/maillog :
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
: 使用 iptables –list 查看 Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
DROP all -- 198.24.142.139 anywhere
RETURN all -- anywhere anywhere
參考資料網址
|