主页 / computer / 问题 / 1496299
Accepted
Megver83
Asked: 2019-10-27 16:07:29 +0800 CST

fail2ban 不禁止 IP,但表示要这样做

  • 772

我已经将 fail2ban 0.9.6 与 iptables 1.6.2 一起使用,并且我正在使用它来阻止攻击者,该攻击者从几天以来一直在戏弄我的电子邮件服务器(典型的 Dovecot + Postfix 安装)。一切正常,配置文件,日志文件等,但它并没有真正禁止攻击者的 IP 地址,因为我可以看到他试图访问 /var/log/mail.log,即使在 fail2ban 禁止它之后也是如此。

这是来自该攻击者的日志摘录:

Oct 27 00:05:55 servidor dovecot: auth: Debug: passwd-file([email protected],92.118.38.54): lookup: [email protected] file=/etc/passwd-file
Oct 27 00:05:55 servidor dovecot: auth: passwd-file([email protected],92.118.38.54): unknown user (given password: password)
Oct 27 00:05:57 servidor dovecot: auth: Debug: client passdb out: FAIL#0111#[email protected]
Oct 27 00:05:57 servidor postfix/smtps/smtpd[2047]: warning: unknown[92.118.38.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: lost connection after AUTH from unknown[92.118.38.54]
Oct 27 00:06:06 servidor postfix/smtps/smtpd[2047]: disconnect from unknown[92.118.38.54] ehlo=1 auth=0/1 rset=1 commands=2/3

他尝试了许多用户名,并且始终使用相同的密码。这是 fail2ban-client 的状态,但是:

$ sudo fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     16
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   92.118.38.54

$ sudo fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     17
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

我想知道为什么 IP 在 dovecot-pop3imap 中被禁止,但在 postfix-sasl 中没有(这是功能吗?不在不同的配置文件中重复相同的禁令?)

这是我的 /etc/fail2ban/jail.local 文件:

 # Configuración pensada para usarse junto con iptables

 # RESOURCES:
 # * https://wiki.archlinux.org/index.php/Fail2ban
 # * https://wiki.dovecot.org/HowTo/Fail2Ban
 # * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
 # * https://www.linode.com/docs/security/using-fail2ban-for-security/
 # * https://wiki.gentoo.org/wiki/Fail2ban
 # * https://www.fail2ban.org/wiki/index.php/HOWTOs

 [DEFAULT]
 bantime = 3600
 destemail = [email protected]
 sender = [email protected]

 # to ban & send an e-mail with whois report to the destemail.
 action = %(action_mw)s

 # same as action_mw but also send relevant log lines
 #action = %(action_mwl)s

 maxretry = 5

 # Dovecot
 [dovecot-pop3imap]
 enabled = true
 filter = dovecot-pop3imap
 action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 findtime = 1200
 #bantime = 3600

 # Postfix
 [postfix]
 enabled = true
 filter = postfix
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

 [postfix-sasl]
 enabled = true
 filter = postfix-sasl
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

 [postfix-rbl]
 enabled = true
 filter = postfix-rbl
 action = iptables-multiport[name=postfix, port="smtp,submissions,submission",p rotocol=tcp]
 logpath = /var/log/mail.log
 #maxretry = 5
 #bantime = 3600

来自 iptables 的信息:

$ sudo iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 4881 packets, 247K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       95 12521 f2b-dovecot  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 110,995,143,993
2     2697  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
3     2697  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
4     2698  133K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 23063 packets, 1114K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain f2b-dovecot (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       92.118.38.54         0.0.0.0/0            reject-with icmp-port-unreachable
2       95 12521 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-postfix (3 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     8092  398K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

PS:我不想手动阻止这个特定的IP,因为我希望禁止过程是自动的

security firewall

1 个回答

  1. Best Answer

    好的,所以看起来Currently failed: 1很有意义:P

    看起来问题出action在配置文件中,所以我终于通过使用一些默认设置来解决它,这是我的新jail.local文件:

    # Configuración pensada para usarse junto con iptables

##############
# RESOURCES: #
##############
# * https://wiki.archlinux.org/index.php/Fail2ban
# * https://wiki.dovecot.org/HowTo/Fail2Ban
# * https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_spanish
# * https://www.linode.com/docs/security/using-fail2ban-for-security/
# * https://wiki.gentoo.org/wiki/Fail2ban
# * https://www.fail2ban.org/wiki/index.php/HOWTOs

[DEFAULT]
# bantime for 1 day
bantime = 86400
destemail = [email protected]
sender = [email protected]
backend = pyinotify

# if the guy fails 5 times in 1/2 hour, gets banned
findtime = 1800
maxretry = 5

# to ban & send an e-mail with whois report to the destemail.
#action = %(action_mw)s

# same as action_mw but also send relevant log lines
action = %(action_mwl)s

############
# PROFILES #
############

# Se asume que banaction = iptables-multiport

# Dovecot
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
#action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log

# Postfix
[postfix]
enabled = true
filter = postfix
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log

[postfix-sasl]
enabled = true
filter = postfix-sasl
port = smtp,submissions,submission,pop3,pop3s,imap,imaps
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.warn

[postfix-rbl]
enabled = true
filter = postfix-rbl
port = smtp,submissions,submission
#action = iptables-multiport[name=postfix, port="smtp,submissions,submission", protocol=tcp]
logpath = /var/log/mail.log
    • 0

相关问题