我已经将 fail2ban 0.9.6 与 iptables 1.6.2 配合使用,并用它来阻止攻击者,因为几天以来,攻击者一直在戏弄我的电子邮件服务器(典型的 Dovecot + Postfix 安装)。一切正常,配置文件、日志文件等,但它并没有真正禁止攻击者的 IP 地址,因为我可以看到他试图在 /var/log/mail.log 中访问,即使在 fail2ban 禁止它之后也是如此。
这是来自该攻击者的日志摘录:
Oct 27 00:05:55 servidor dovecot: auth: Debug: passwd-file([email protected],92.118.38.54): lookup: [email protected] file=/etc/passwd-file
Oct 27 00:05:55 servidor dovecot: auth: passwd-file([email protected],92.118.38.54): unknown user (given password: password)
Oct 27 00:05:57 servidor dovecot: auth: Debug: client passdb out: FAIL#0111#[email protected]
Oct 27 00:05:57 servidor postfix/smtps/smtpd[2047]: warning: unknown[92.118.38.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: lost connection after AUTH from unknown[92.118.38.54]
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: disconnect from unknown[92.118.38.54] ehlo=1 auth=0/1 rset=1 commands=2/3
他尝试过很多用户名,而且每次都使用相同的密码。然而,fail2ban-client status 却显示:
$ sudo fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
| |- Currently failed: 1
| |- Total failed: 16
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 92.118.38.54
$ sudo fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 1
| |- Total failed: 17
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
我不知道为什么该 IP 在 dovecot-pop3imap 中被禁止而在 postfix-sasl 中没有被禁止(这是功能吗?不要在不同的配置文件中重复相同的禁令?)
这是我的 /etc/fail2ban/jail.local 文件:
# Configuración pensada para usarse junto con iptables
# RESOURCES:
# * https://wiki.archlinux.org/index.php/Fail2ban
# * https://wiki.dovecot.org/HowTo/Fail2Ban
# * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
# * https://www.linode.com/docs/security/using-fail2ban-for-security/
# * https://wiki.gentoo.org/wiki/Fail2ban
# * https://www.fail2ban.org/wiki/index.php/HOWTOs
[DEFAULT]
bantime = 3600
destemail = [email protected]
sender = [email protected]
# to ban & send an e-mail with whois report to the destemail.
action = %(action_mw)s
# same as action_mw but also send relevant log lines
#action = %(action_mwl)s
maxretry = 5
# Dovecot
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
#maxretry = 5
findtime = 1200
#bantime = 3600
# Postfix
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log
#maxretry = 5
#bantime = 3600
[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log
#maxretry = 5
#bantime = 3600
[postfix-rbl]
enabled = true
filter = postfix-rbl
action = iptables-multiport[name=postfix, port="smtp,submissions,submission",p rotocol=tcp]
logpath = /var/log/mail.log
#maxretry = 5
#bantime = 3600
来自 iptables 的信息:
$ sudo iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 4881 packets, 247K bytes)
num pkts bytes target prot opt in out source destination
1 95 12521 f2b-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993
2 2697 133K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
3 2697 133K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
4 2698 133K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23063 packets, 1114K bytes)
num pkts bytes target prot opt in out source destination
Chain f2b-dovecot (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 92.118.38.54 0.0.0.0/0 reject-with icmp-port-unreachable
2 95 12521 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-postfix (3 references)
num pkts bytes target prot opt in out source destination
1 8092 398K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
附言:我不想手动屏蔽这个特定的 IP,因为我希望封禁过程是自动的
答案1
好的,看起来这Currently failed: 1意味着什么:P
看起来问题出action在配置文件中,所以我最终通过使用一些默认设置解决了它,这是我的新jail.local文件:
# Configuración pensada para usarse junto con iptables
##############
# RESOURCES: #
##############
# * https://wiki.archlinux.org/index.php/Fail2ban
# * https://wiki.dovecot.org/HowTo/Fail2Ban
# * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
# * https://www.linode.com/docs/security/using-fail2ban-for-security/
# * https://wiki.gentoo.org/wiki/Fail2ban
# * https://www.fail2ban.org/wiki/index.php/HOWTOs
[DEFAULT]
# bantime for 1 day
bantime = 86400
destemail = [email protected]
sender = [email protected]
backend = pyinotify
# if the guy fails 5 times in 1/2 hour, gets banned
findtime = 1800
maxretry = 5
# to ban & send an e-mail with whois report to the destemail.
#action = %(action_mw)s
# same as action_mw but also send relevant log lines
action = %(action_mwl)s
############
# PROFILES #
############
# Se asume que banaction = iptables-multiport
# Dovecot
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
#action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
# Postfix
[postfix]
enabled = true
filter = postfix
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log
[postfix-sasl]
enabled = true
filter = postfix-sasl
port = smtp,submissions,submission,pop3,pop3s,imap,imaps
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.warn
[postfix-rbl]
enabled = true
filter = postfix-rbl
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log