Fail2ban – 需要 Exim 配置

tag-icon tag-icon fail2ban
Fail2ban – 需要 Exim 配置

我在 stackexchange 和其他网站上看到了一些帖子,但一直没能弄清楚。我在 Ubuntu 22 上使用 fail2ban,并使用 exim、dovecot 等作为我的邮件服务器。同一台服务器上还有一些其他应用程序。由于这是一台私人服务器,我希望使我的配置非常严格,并在必要时将其列入白名单。

以下是我目前拥有的/etc/fail2ban/filter.d/exim.conf

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s>

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
            ^\s*H=(?:\S+ )?\([^)]+\) \[<ADDR>\](?: [A-Z]+=\S+){1,5} rejected RCPT$
            <mdre-<mode>>

mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$

mdre-normal =

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
#   'no host found for IP', 'no IP found for host'.
# Note this is not an authentication failures, so it may produce lots of false
# positives on misconfigured MTAs.
# Ex.:
#   filter = exim[mode=aggressive]
mode = normal

ignoreregex =

# DEV Notes:
# The %(host_info) defination contains a <HOST> match

我希望能够在文件夹中的 exim 日志文件(mainlog 和 mainlog.1)中发现以下任何事件时永久禁止 ip 地址(使用 fail2ban exim 配置)/var/日志/exim4/

2022-11-12 14:40:06 TLS error on connection from scanner-04.ch1.someone-abcd.com [192.1.2.3] (gnutls_handshake): The TLS connection was non-properly terminated.
2022-11-12 15:29:55 dovecot_plain authenticator failed for (FULLY-QUALIFIED-HOSTNAME) [192.1.2.3]: 535 Incorrect authentication data (set_id=my_host_name)
2022-11-12 20:26:17 SMTP call from [192.1.2.39] dropped: too many unrecognized commands (last was "")
2022-11-12 20:50:13 TLS error on connection from [192.1.2.3] (gnutls_handshake): An unexpected TLS packet was received.
2022-11-12 21:22:59 SMTP call from [192.1.2.55] dropped: too many syntax or protocol errors (last command was "?\b?\006?\027?\030?\031?\v?\002\001??\r?\020?\016\004\001\004\003\002\001\002\003\004\001\005\001\006\001\377\001?\001?\025\003\001?\002\002", NULL)
2022-11-12 14:30:34 TLS error on connection from scanner-27.ch1.someone-abcd.com [167.94.138.117] (gnutls_handshake): No common application protocol could be negotiated.
2022-11-12 09:32:59 TLS error on connection from hfgfydf.djddjd.io [192.168.1.2] (recv): Error in the pull function.
2022-11-12 06:29:20 H=(WIN-CLJ1B0GQ6JP) [192.168.1.2] F=<[email protected]> rejected RCPT <[email protected]>: Rejected because 192.168.1.2 is in a black list at zen.spamhaus.org
2022-11-12 00:20:22 TLS error on connection from [192.1.2.3] (gnutls_handshake): An unexpected TLS packet was received.
2022-11-12 14:31:00 SMTP call from scanner-05.ch1.someone-abcd.com [192.1.2.33] dropped: too many syntax or protocol errors (last command was "?", NULL)

以下是 exim 的 fail2ban jail 配置。请注意,我使用的是 Hestia,如果这有什么不同的话

[exim-iptables]
enabled  = true
filter   = exim
maxfailures = 1
bantime = -1
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog
ignoreip = 127.0.0.1 my_ip_address_1 my_ip_address_2 my_hostname

我确实有一些正则表达式的基本知识,但我正在努力寻找适合 fail2ban exim 配置文件的正确正则表达式。

一旦我对 exim 完成此操作并验证后,我希望根据 dovecot 日志中的错误消息对 dovecot Jail 进行类似的更改。

谢谢

答案1

如果有人也感兴趣的话就在这里回复,我最终在现有的过滤器上方添加了一些正则表达式过滤器,它们似乎已经运行良好了几个星期。

我认为这些过滤器可能对某些环境来说过于严格。由于这是一个私人电子邮件服务器,一旦有人违规,我就会永久封禁任何人。我在 Fail2ban jail 配置中将一些 IP 地址(可信赖)列入白名单。

failregex = 

## New rules that I added ##
^.*because <HOST> is in a black list at.*$
^.*Connection closed.*unsupported protocol.*user=\<\>,\srip=<HOST>.*$
^.*Connection closed \(no auth attempts in .*user=\<\>,\srip=<HOST>.*$
^.* \[<HOST>\].* The TLS connection was non-properly terminated.*$
^.* \[<HOST>\].*535 Incorrect authentication data.*$
^.* \[<HOST>\] dropped: too many .*$

##Preexisting ones##

^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
^\s*H=(?:\S+ )?\([^)]+\) \[<ADDR>\](?: [A-Z]+=\S+){1,5} rejected RCPT$ ```

还添加我的 fail2ban jail 配置

[exim-iptables]
enabled  = true
filter   = exim
maxretry = 0
maxfailures = 1
bantime = -1
findtime = 36000
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog
           /var/log/exim4/mainlog.1
           /var/log/exim4/rejectlog.1
           /var/log/exim4/rejectlog
ignoreip = <<few different private IPs>>

相关内容