#author("2023-09-30T11:12:41+09:00","default:kuji","kuji") CONTENTS #contents ---- Lastmodified &lastmod; ---- [[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban を試してみることにした。 */security/py-fail2ban [#x04d8d24] [[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]] /etc/rc.conf fail2ban_enable="YES" [[Using Fail2ban with Dovecot:https://doc.dovecot.org/configuration_manual/howto/fail2ban/]] **Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf: [#x4ff1a08] [Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=`<HOST>` **Add the following to /etc/fail2ban/jail.conf: [#b2d423e0] [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200 ** dovecot-pop3imap.conf [#v9ce87ba] /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf [Definition] failregex = refused connection from <HOST>, service qpopper \(tcp\) datepattern = {^LN-BEG} [[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]] /usr/local/etc/fail2banjail.local [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] #logpath = /var/log/maillog logpath = /var/log/auth.log maxretry = 2 findtime = 1200 bantime = 1200 backend = polling banaction = bsd-ipfw[table=pop3] # fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched Running tests ============= Use failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban Use log file : /var/log/auth.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed [processed in 0.53 sec] Missed line(s): too many to print. Use --print-all-missed to print all 6618 lines ---- Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday); #counter([total|today|yesterday]);