我有一台 Ubuntu 20.04 服务器,它每天从同一 IP 在我的 postfix 服务器上接收数百个 SMTP AUTH 请求。我安装了 fail2ban,但讽刺的是,它无法禁止该 IP。
我的/etc/fail2ban/jail.local文件是(<snip>中的位是个人和企业 IP):
[postfix-flood-attack]
enabled = true
bantime = 1h
filter = postfix-flood-attack
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
ignoreip = <snip> 127.0.0.1/8
maxretry = 3
[postfix]
enabled = true
maxretry = 3
bantime = 1h
filter = postfix[mode=aggressive]
logpath = /var/log/mail.log
ignoreip = <snip> 127.0.0.1/8
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3
ignoreip = <snip> 127.0.01/8
所涉监狱postfix-flood-attack来自本教程底部。该/etc/fail2ban/filter.d/postfix-flood-attack.conf文件是:
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
我的日志消息看起来像
Aug 15 13:54:45 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:46 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: warning: unknown[193.35.48.18]: SASL PLAIN authentication failed:
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:51 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:58 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268734]: connect from unknown[193.35.48.18]
Aug 15 13:55:05 ikana postfix/smtps/smtpd[268734]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: warning: unknown[193.35.48.18]: SASL PLAIN authentication failed:
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
根据fail2ban-regex,这应该可以工作,但 IP 并未被禁止。该命令的输出fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-flood-attack.conf为:
Running tests
=============
Use failregex filter file : postfix-flood-attack, basedir: /etc/fail2ban
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Failregex: 5356 total
|- #) [# of hits] regular expression
| 1) [5356] lost connection after AUTH from (.*)\[<HOST>\]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [37949] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 37949 lines, 0 ignored, 5356 matched, 32593 missed
[processed in 1.43 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 32593 lines
因此,它找到了 5,356 个日志的匹配项,并且从未禁止任何日志。在默认的 10 分钟查找时间内,通常会有 8 次尝试。使用选项的代码片段-v显示fail2ban-regex了以下带有时间戳的匹配项:
...
193.35.48.18 Thu Aug 15 13:50:55 2019
193.35.48.18 Thu Aug 15 13:51:02 2019
193.35.48.18 Thu Aug 15 13:51:10 2019
193.35.48.18 Thu Aug 15 13:51:15 2019
193.35.48.18 Thu Aug 15 13:54:50 2019
193.35.48.18 Thu Aug 15 13:54:57 2019
193.35.48.18 Thu Aug 15 13:55:04 2019
193.35.48.18 Thu Aug 15 13:55:09 2019
193.35.48.18 Thu Aug 15 13:58:40 2019
193.35.48.18 Thu Aug 15 13:58:48 2019
193.35.48.18 Thu Aug 15 13:58:54 2019
193.35.48.18 Thu Aug 15 13:58:59 2019
...
答案1
配置看起来不错,但输出中有一个重要细节需要注意fail2ban-regex:它决定日期来自 2019 年。考虑到问题中的日志,这乍一看似乎很愚蠢。事实证明,这在某种程度上是 fail2ban 的一个已知问题,他们将其称为TZ 问题。将服务器配置为使用特定时区后,您需要重新启动一系列服务,或重新启动整个系统才能使其正常生效。虽然我不记得有多久了,但我想自从在服务器上配置时区以来,我从未重新启动过服务器。
通过 重新启动 syslog 服务后systemctl restart syslog,fail2ban 识别了正确时区的日志行。
Fail2ban 立即识别了配置的查找时间中的日志消息,并禁止了困扰我服务器数天的 IP。我猜 Fail2ban 会向系统日志询问时区信息,而不是使用自 fail2ban-server 启动以来在机器上设置的信息。
我希望这可以帮助其他遇到类似问题的人。
答案2
当您使用标准日期格式时,fail2ban 不会认为这些日期是 2019 年的歧义。您可以通过以下方式完全避免此问题:使用 ISO 8601- 在 2020 年,您可能没有任何理由继续坚持使用向后兼容的日志格式。
此外,在 Ubuntu 中,您可以完全跳过日期格式/解析,通过指示 fail2ban 直接使用 systemd 日志,它提供与纪元相关的简单偏移量,而没有时区信息(在本地监狱配置中的块backend = systemd中尝试[DEFAULT])。