原文地址
说明:
邮件系统、FTP服务器等,常会遇到成百上千的试探***及暴力破解密码。特别是邮件服务器,邮箱账号被破解了又被拿去发垃圾邮件,导致公司邮件被gmail,qq等退信,实现无奈。如下Jul 28 17:05:01 mail10 postfix/smtpd[11722]: warning: unknown[101.69.192.41]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jul 28 17:06:07 mail10 postfix/smtpd[11722]: warning: unknown[218.108.46.51]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jul 28 17:08:48 mail10 postfix/smtpd[11722]: warning: unknown[58.42.247.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
其实可以通过fail2ban调用iptables来阻档这些尝试。
1、fail2ban编译安装
# wget http://cznic.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.11/fail2ban-0.8.11.tar.gz# tar jxvf fail2ban-0.8.11.tar.bz2# cd fail2ban-0.8.11# ./setup.py install# cp files/redhat-initd /etc/init.d/fail2ban //fail2ban安装包内自带几种系统的启动脚本,centos为files/redhat-initd,将redhat-initd文件复制到/etc/init.d# chmod 755 /etc/init.d/fail2ban# chkconfig --add fail2ban# chkconfig fail2ban on
因为fail2ban是基于python写的,所以其安装时需要python环境才能进行安装。
主要配置文件及参数
# ll /etc/fail2ban/drwxr-xr-x 2 root root 4096 06-28 16:53 action.d //是如何调用iptables、mail发送等程序的目录-rw-r--r-- 1 root root 859 01-17 12:24 fail2ban.conf //设置该程序的日志等drwxr-xr-x 2 root root 4096 06-28 16:11 filter.d //过滤规则目录-rw-r--r-- 1 root root 6593 06-28 15:42 jail.conf //监控和过滤的配置参数。-rw-r--r-- 1 root root 1375 2011-11-30 jail.local //配置本地主要监控的日志及相关参数
2、配置fail2ban,我这里配置了4个,postfix,pop3,exmail,vsftp,可自己定制。其实像postfix,pop3如果不熟的话,可以先一个个加,先测试postfix,再测试pop3,避免影响线上邮件接收!
# vi /etc/fail2ban/jail.conf[postfix]enabled = true filter = postfix action = iptables[name=postfix, port=25, protocol=tcp]ignoreip = 127.0.0.1 192.168.1.0/16logpath = /var/log/maillog bantime = 86400 findtime = 60 maxretry = 5[POP3]enabled = truefilter = courierloginaction = iptables[name=pop3, port=110, protocol=tcp]logpath = /var/log/maillogbantime = 1800findtime = 300maxretry = 15[vsftpd]enabled = truefilter = vsftpdaction = iptables[name=vsftpd, port=21, protocol=tcp]ignoreip = 127.0.0.1 192.168.1.0/16logpath = /var/log/vsftpd.logmaxretry = 5bantime = 1800[extmail]enabled = truefilter = extmailaction = iptables[name=extmail, port=80, protocol=tcp]logpath = /var/log/maillogbantime = 300findtime = 300maxretry = 6
ignoreip = 127.0.0.1 192.168.1.0/16 是指本地网忽略及192.168.0.0段,多个ip段以空格分隔!
再来看看主配置默认生效的配置:
cat /etc/fail2ban/jail.conf |grep -v ^# |less
[DEFAULT] #全局设置
ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制(白名单)
bantime = 600 #屏蔽时间,单位:秒
findtime = 600 #这个时间段内超过规定次数会被ban掉
maxretry = 3 #最大尝试次数
backend = auto #日志修改检测机制(gamin、polling和auto这三种)
[ssh-iptables] #针对各服务的检查配置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置
enabled = true #是否激活此项(true/false)
filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] #动作的相关参数
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] #触发报警的收件人
logpath = /var/log/secure #检测的系统的登陆日志文件
maxretry = 5 #最大尝试次数
3、/etc/fail2ban/filter.d中编辑或新加文件,文件名一定要跟上一步jail.conf配置文件中的“filter=”对应
# vim /etc/fail2ban/filter.d/postfix.conffailregex = warning: (.*)\[\]: SASL LOGIN authentication failed: reject: RCPT from (.*)\[ \]: 550 5.1.1 reject: RCPT from (.*)\[ \]: 450 4.7.1 reject: RCPT from (.*)\[ \]: 554 5.7.1 reject: RCPT from (.*)\[ \]: 554 5.5.2 reject: RCPT from (.*)\[ \]: 504 5.5.2ignoreregex =
# vim /etc/fail2ban/filter.d/pop3,即courierlogin.conffailregex = LOGIN FAILED, .*, ip=\[\]$ignorereg
# vim /etc/fail2ban/filter.d/vsftpd.conffailregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client " "\s*$ignoreregex =
# vim /etc/fail2ban/filter.d/extmail.conffailregex = extmail.*: user=.*, client=, module=login, status=badloginignoreregex =
4、测试,可以先进行过滤检查语法测试,可以看到其实还挺多ip来试探的,话说这哥们还真闲,一直换着ip搞
# fail2ban-client status postfix Status for the jail: postfix|- filter| |- File list: /var/log/maillog | |- Currently failed: 121| `- Total failed: 1363`- action |- Currently banned: 82 | `- IP list: 62.241.143.247 222.213.236.162 118.98.97.94 202.21.181.110 112.124.37.83 119.188.103.129 180.252.181.15 58.221.83.10 118.212.129.175 186.24.34.179 218.84.213.182 203.57.24.25 121.31.62.162 222.186.12.5 202.29.235.121 218.90.174.167 202.29.235.122 181.29.132.201 1.234.75.53 122.225.124.74 211.144.81.68 202.159.6.146 210.209.118.57 58.61.29.233 201.249.188.101 211.144.81.67 211.144.81.66 193.150.105.40 193.255.217.101 182.131.2.222 202.137.8.148 23.239.106.103 202.77.123.38 218.249.114.42 103.31.204.167 200.68.15.61 46.20.46.152 124.161.189.49 191.101.2.37 14.146.228.2 187.240.117.148 222.42.1.132 183.224.71.21 218.76.158.156 192.3.110.146 121.52.159.236 58.215.212.243 124.73.7.249 124.114.141.118 61.150.76.201 121.14.228.16 117.45.18.100 58.248.22.41 181.65.183.42 62.231.187.137 80.227.12.90 115.239.248.235 118.97.66.4 119.176.234.232 58.67.143.165 94.242.238.13 190.111.122.3 194.68.142.57 177.2.109.234 218.95.158.99 58.68.145.39 123.138.68.172 113.108.186.138 202.44.64.4 189.17.184.3 94.23.192.79 124.161.94.8 177.159.173.106 61.177.137.131 118.112.181.36 109.201.140.35 121.63.246.223 124.207.34.91 219.146.2.105 188.17.153.192 60.21.132.218 61.143.158.226 `- Total banned: 82
5、启动fail2ban
# /etc/init.d/fail2ban start
6、然后就可以通过iptables命令查看被封掉的IP
# iptables -L -nvChain INPUT (policy DROP 660 packets, 68278 bytes) pkts bytes target prot opt in out source destination 121M 27G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED1522K 91M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,465,110, 4929 290K ACCEPT all -- lo * 。。。。。。
附录:附录1: 重启iptables后一定要重启fail2ban,不然fail2ban不能生效,fail2ban的过滤表是在iptables启动后再添加的