前幾天查看 maillog 發現一堆來自特定 ip 使用 pop3/imap 的登入掃描帳號攻擊, 看到後手動加入 iptable 阻絕掉這個 ip 的來源, 但是過幾天, 又看到相同的行為來自不同的 ip , 所以上網找一下是否有人已經寫好這樣的自動阻絕工具.
[root@xen-mail ~]# yum install fail2ban : ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: fail2ban noarch 0.8.2-3.el5.rf rpmforge 125 k :
vi /etc/fail2ban/fail2ban.conf : logtarget = /var/log/fail2ban.log :
vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition] failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).*
vi /etc/fail2ban/jail.conf : : [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200
: 28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242) : 28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242) 28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242) :
vi /etc/named.conf
: logging { channel Named_log { file "/var/log/named/named.log" versions unlimited; severity info; print-severity yes; print-time yes; }; category default {Named_log; }; category xfer-out {Named_log; }; category queries {Named_log; }; : :
: # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # #failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$ failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED* # Option: ignoreregex :
: [named-refused-udp] enabled = true filter = named-refused action = iptables-multiport[name=Named, port="domain,53", protocol=udp] sendmail-whois[name=Named, dest=tryweb@ichiayi.com] #logpath = /var/log/named/security.log logpath = /var/log/named/named.log ignoreip = 192.168.11.0 bantime = 3600 :
[root@xen-mail ~]# service fail2ban start Starting fail2ban: [ 確定 ] [root@xen-mail ~]# chkconfig fail2ban on [root@xen-mail ~]# chkconfig --list | grep fail2ban fail2ban 0:關閉 1:關閉 2:開啟 3:開啟 4:開啟 5:開啟 6:關閉
[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
[root@xen-mail ~]# service fail2ban status Fail2ban (pid 19813) is running... Status |- Number of jail: 1 `- Jail list: dovecot-pop3imap
: Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9 :
Every 2.0s: iptables --list Thu Jan 17 08:14:56 2013 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination DROP all -- 198.24.142.139 anywhere RETURN all -- anywhere anywhere
歡迎光臨 百利工頭 (http://bb.pc104.tw/) | Powered by Discuz! 6.0.0 |