fail2ban 不会禁止 IP,但会建议这么做

fail2ban 不会禁止 IP,但会建议这么做

我已经将 fail2ban 0.9.6 与 iptables 1.6.2 配合使用,并用它来阻止攻击者,因为几天以来,攻击者一直在戏弄我的电子邮件服务器(典型的 Dovecot + Postfix 安装)。一切正常,配置文件、日志文件等,但它并没有真正禁止攻击者的 IP 地址,因为我可以看到他试图在 /var/log/mail.log 中访问,即使在 fail2ban 禁止它之后也是如此。

这是来自该攻击者的日志摘录:

Oct 27 00:05:55 servidor dovecot: auth: Debug: passwd-file([email protected],92.118.38.54): lookup: [email protected] file=/etc/passwd-file
Oct 27 00:05:55 servidor dovecot: auth: passwd-file([email protected],92.118.38.54): unknown user (given password: password)
Oct 27 00:05:57 servidor dovecot: auth: Debug: client passdb out: FAIL#0111#[email protected]
Oct 27 00:05:57 servidor postfix/smtps/smtpd[2047]: warning: unknown[92.118.38.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: lost connection after AUTH from unknown[92.118.38.54]
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: disconnect from unknown[92.118.38.54] ehlo=1 auth=0/1 rset=1 commands=2/3

他尝试过很多用户名,而且每次都使用相同的密码。然而,fail2ban-client status 却显示:

$ sudo fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     16
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   92.118.38.54

$ sudo fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     17
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

我不知道为什么该 IP 在 dovecot-pop3imap 中被禁止而在 postfix-sasl 中没有被禁止(这是功能吗?不要在不同的配置文件中重复相同的禁令?)

这是我的 /etc/fail2ban/jail.local 文件:

 # Configuración pensada para usarse junto con iptables

 # RESOURCES:
 # * https://wiki.archlinux.org/index.php/Fail2ban
 # * https://wiki.dovecot.org/HowTo/Fail2Ban
 # * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
 # * https://www.linode.com/docs/security/using-fail2ban-for-security/
 # * https://wiki.gentoo.org/wiki/Fail2ban
 # * https://www.fail2ban.org/wiki/index.php/HOWTOs

 [DEFAULT]
 bantime = 3600
 destemail = [email protected]
 sender = [email protected]

 # to ban & send an e-mail with whois report to the destemail.
 action = %(action_mw)s

 # same as action_mw but also send relevant log lines
 #action = %(action_mwl)s

 maxretry = 5

 # Dovecot
 [dovecot-pop3imap]
 enabled = true
 filter = dovecot-pop3imap
 action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 findtime = 1200
 #bantime = 3600

 # Postfix
 [postfix]
 enabled = true
 filter = postfix
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

 [postfix-sasl]
 enabled = true
 filter = postfix-sasl
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

 [postfix-rbl]
 enabled = true
 filter = postfix-rbl
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission",p rotocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

来自 iptables 的信息:

$ sudo iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 4881 packets, 247K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       95 12521 f2b-dovecot  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 110,995,143,993
2     2697  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
3     2697  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
4     2698  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 23063 packets, 1114K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain f2b-dovecot (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       92.118.38.54         0.0.0.0/0            reject-with icmp-port-unreachable
2       95 12521 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-postfix (3 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     8092  398K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

附言:我不想手动屏蔽这个特定的 IP,因为我希望封禁过程是自动的

答案1

好的,看起来这Currently failed: 1意味着什么:P

看起来问题出action在配置文件中,所以我最终通过使用一些默认设置解决了它,这是我的新jail.local文件:

# Configuración pensada para usarse junto con iptables

##############
# RESOURCES: #
##############
# * https://wiki.archlinux.org/index.php/Fail2ban
# * https://wiki.dovecot.org/HowTo/Fail2Ban
# * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
# * https://www.linode.com/docs/security/using-fail2ban-for-security/
# * https://wiki.gentoo.org/wiki/Fail2ban
# * https://www.fail2ban.org/wiki/index.php/HOWTOs

[DEFAULT]
# bantime for 1 day
bantime = 86400
destemail = [email protected]
sender = [email protected]
backend = pyinotify

# if the guy fails 5 times in 1/2 hour, gets banned
findtime = 1800
maxretry = 5

# to ban & send an e-mail with whois report to the destemail.
#action = %(action_mw)s

# same as action_mw but also send relevant log lines
action = %(action_mwl)s

############
# PROFILES #
############

# Se asume que banaction = iptables-multiport

# Dovecot
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
#action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log

# Postfix
[postfix]
enabled = true
filter = postfix
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log

[postfix-sasl]
enabled = true
filter = postfix-sasl
port = smtp,submissions,submission,pop3,pop3s,imap,imaps
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.warn

[postfix-rbl]
enabled = true
filter = postfix-rbl
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log

相关内容