我配置了fail2ban来保护postfix服务上的身份验证。监狱在禁令方面工作正常,但该ignoreip选项似乎被忽略或配置错误,因为它禁止指定 CIDR 下的 IP:
这是监狱:
[postfix-sasl]
enabled = true
ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
filter = postfix-sasl
action_mwl = iptables-allports[name=postfix-sasl]
logpath = /var/log/zimbra.log
bantime = 3600
maxretry = 3
这是选项指定的 CIDR 之一下被禁止的 IP 的示例ignoreip(192.168.0.0/16):
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
REJECT all -- 192.168.11.54 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
这是与此 IP 匹配的行/var/log/fail2ban/log:
2019-03-21 09:21:33,269 fail2ban.filter [32293]: INFO [postfix-sasl] Found 192.168.11.54
2019-03-21 09:21:48,290 fail2ban.filter [32293]: INFO [postfix-sasl] Found 192.168.11.54
2019-03-21 09:21:49,044 fail2ban.actions [32293]: NOTICE [postfix-sasl] Ban 192.168.11.54
我可以在禁止失败维基可以ignoreip接受空格分隔的值和 CIDR 表示法,来自fail2ban wiki:
# Option: ignoreip.
# Notes.: space separated list of IP's to be ignored by fail2ban..
# You can use CIDR mask in order to specify a range..
# Example: ignoreip = 192.168.0.1/24 123.45.235.65.
# Values: IP Default: 192.168.0.0/24.
#.
ignoreip = 192.168.1.0/24