百利工頭 - Powered by Discuz! Board

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*

vi /etc/fail2ban/jail.conf
:
:
[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, sender=tryweb@ichiayi.com]
logpath  = /var/log/maillog
maxretry = 20
findtime = 1200
bantime  = 1200

新增 /etc/fail2ban/filter.d/dovecot-pop3imap.conf 定義檔
在 /etc/fail2ban/jail.conf 內增加 [dovecot-pop3imap]
調整 [dovecot-pop3imap] 內 action 的通知參數 dest(收信人), sender(寄信人)

- 設定 Fail2Ban 對 bind 的參數檔案

主要是阻絕大量查詢 ripe.net / isc.org / 1rip.com 的 DDoS 攻擊方式

named.log 出現類似以下的狀況:

:
28-Jun-2013 15:40:23.888 info: client 67.220.66.3#40117: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:23.892 info: client 67.220.66.3#16440: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:40:24.089 info: client 67.220.66.3#22971: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:
28-Jun-2013 15:48:34.653 info: client 72.10.160.148#45103: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.659 info: client 72.10.160.148#38608: view external: query: 1rip.com IN ANY +E (192.168.11.242)
28-Jun-2013 15:48:34.846 info: client 72.10.160.148#22681: view external: query: 1rip.com IN ANY +E (192.168.11.242)
:

vi /etc/named.conf

:
logging {
        channel Named_log {
                file "/var/log/named/named.log" versions unlimited;
                severity info;
                print-severity  yes;
                print-time yes; };
        category default {Named_log; };
        category xfer-out {Named_log; };
        category queries {Named_log; };
:
:

修改 /etc/fail2ban/filter.d/named-refused.conf 定義檔

:
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
#failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org|1rip.com) IN ANY \+ED*

# Option:  ignoreregex
:

在 /etc/fail2ban/jail.conf 內設定啟用 [named-refused-udp]

:
[named-refused-udp]

enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,53", protocol=udp]
            sendmail-whois[name=Named, dest=tryweb@ichiayi.com]
#logpath  = /var/log/named/security.log
logpath  = /var/log/named/named.log
ignoreip = 192.168.11.0
bantime  = 3600
:

- 開始啟動 Fail2Ban 服務

[root@xen-mail ~]# service fail2ban start
Starting fail2ban:                                         [  確定  ]

[root@xen-mail ~]# chkconfig fail2ban on
[root@xen-mail ~]# chkconfig --list | grep fail2ban
fail2ban        0:關閉  1:關閉  2:開啟  3:開啟  4:開啟  5:開啟  6:關閉

如果信件寄出來日期變成 1970-01-01 是寄信日期語系錯誤問題, 可以改用以下方式啟用
```
[root@xen-mail ~]# LANG=en_US /etc/init.d/fail2ban restart
```

- 查看 Fail2Ban 服務狀況

[root@xen-mail ~]# service fail2ban status
Fail2ban (pid 19813) is running...
Status
|- Number of jail:      1
`- Jail list:           dovecot-pop3imap

- 實際 Ban 的案例

/var/log/maillog

:
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:40 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:42 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<natalie>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysql>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<mysqlp>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<nancy>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:44 hp-mail dovecot: pop3-login: Aborted login: user=<morgan>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<nada>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<moses>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<music>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<natalia>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
Jan 17 08:11:46 hp-mail dovecot: pop3-login: Aborted login: user=<morris>, method=PLAIN, rip=::ffff:198.24.142.139, lip=::ffff:220.130.139.9
:

使用 iptables –list 查看

Every 2.0s: iptables --list                                                                                                           Thu Jan 17 08:14:56 2013

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination
DROP       all  --  198.24.142.139       anywhere
RETURN     all  --  anywhere             anywhere

- 安裝 Fail2Ban

- 設定 Fail2Ban 參數檔案

- 設定 Fail2Ban 對 dovecot 的參數檔案

- 設定 Fail2Ban 對 bind 的參數檔案

- 開始啟動 Fail2Ban 服務

- 查看 Fail2Ban 服務狀況

- 實際 Ban 的案例

參考資料網址