如何创建 failregex 来阻止 imap-logins fail2ban

tag-icon tag-icon fail2ban imap
如何创建 failregex 来阻止 imap-logins fail2ban

有人能帮我创建正确的 fail2ban 过滤器吗?坏 IP 地址敲击端口 993 /etc/fail2ban/filter.d/dovecot.conf 不会捕获此类日志

我发现了类似的东西,但我得到了错误

[Definition]

failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $

mail.log

Jan 28 11:35:10 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS, session=<4WmzJqHWpuJ1Mm4F>
Jan 28 11:35:11 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<8Bi9JqHWYIB1Mm4F>
Jan 28 11:35:12 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<9vHEJqHWmIF1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=676) failed: Connection reset by peer, session=<Ri3TJqHWtIJ1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<RjDbJqHWdIR1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<mHXjJqHWHIV1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<l6XnJqHW0IV1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=595) failed: Connection reset by peer, session=<ic/zJqHWhoZ1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<aw78JqHWXId1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher, session=<gTIAJ6HWMoh1Mm4F>
Jan 28 11:35:16 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share, session=<l9UIJ6HW8Ih1Mm4F>

再次感谢你

答案1

aggressive如果您使用某些新的 fail2ban 版本,其中 dovecot 过滤器支持模式,则无需编写自己的正则表达式。
您可以使用以下命令进行检查:

fail2ban-regex /path/to/log-or-test-message dovecot[mode=aggressive]

如果你看到matches它正在为你工作,那么只需将它设置为你的jail.local监狱dovecot

[dovecot]
mode = aggressive
...
enabled = true

我发现了类似的东西,但我得到了错误

您的示例似乎是不完整的(修剪过的?),无论如何它没有<ADDR>或者<HOST>基本上不是为另一个 fail2ban 版本编写的(您也没有提供)。

无论如何,对于 v.0.10 或更高版本它可能看起来像,只是它只能与prefregex同一过滤器中指定的几行较高行一起工作,以及与在那里指定的其他替换变量一起工作,并且可能还依赖于版本常见过滤器包括

或者甚至像这样(必须适用于每个版本并且不需要包含):

failregex = ^\s*(?:\S+\s+)?(?:(?:dovecot(?:-auth)?|auth)(?:\[\d+\])?:?\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \(uid=\w+\): auth(?:-worker)?<\d+>: )?(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

相关内容