![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
CONTENTS
Lastmodified 2024-02-17 (土) 09:25:52
blacklistd(8)では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban を試してみることにした。
https://fnf.seesaa.net/article/476415931.html
https://fnf.seesaa.net/article/476435243.html
https://intaa.net/archives/37086
portinstall security/py-fail2ban
/usr/local/etc/rc.d/fail2ban start
2023-09-30 17:00:26,803 fail2ban.configreader [48582]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' Server ready
fail2ban.conf
#allowipv6 = auto allowipv6 = auto
/etc/rc.conf
fail2ban_enable="YES"
を作っておく。ファイル名は「dovecot-pop3imap.conf」とした。
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = refused connection from <HOST>, service qpopper \(tcp\)
datepattern = {^LN-BEG}
もう一つは、/ver/log/all.log を読み込むフィルター
/usr/local/etc/fail2ban/filter.d/qpopperauth.conf
対象となるログの行は、こんな
Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com at xxx.yyy.zzz.*** (xx.yyy.zzz.***): -ERR [AUTH] Password supplied for "foo@example.com" is incorrect.
[Definition]
failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password supplied .*
datepattern = {^LN-BEG}
動作確認するには、
# fail2ban-regex /var/log/all.log /usr/local/etc/fail2ban/filter.d/qpopperauth.conf --print-all-matched
とする。
fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく
# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
[processed in 0.53 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 6618 lines
/usr/local/etc/fail2ban/jail.local
[INCLUDES] before = paths-freebsd.conf [dovecot-pop3imap] enabled = true mode = more filter = dovecot-pop3imap logpath = /var/log/auth.log maxretry = 2 findtime = 1200 bantime = 1200 backend = polling banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp] [qpopperauth] enabled = true mode = more filter = qpopperauth logpath = /var/log/all.log maxretry = 2 findtime = 1200 bantime = 86400 backend = polling banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp]
fail2ban 再起動
# /usr/local/etc/rc.d/fail2ban restart
ipfw table all list
# ipfw table all list --- table(port25), set(0) --- 37.139.129.4/32 0 45.66.230.99/32 0 79.110.62.188/32 0 80.76.51.40/32 0 85.31.45.34/32 0 95.214.27.23/32 0 147.78.103.88/32 0 147.78.103.182/32 0 185.216.71.126/32 0 193.42.33.87/32 0 --- table(port587), set(0) --- 94.156.102.204/32 0 150.230.59.115/32 0 150.230.63.186/32 0 163.172.88.229/32 0 194.180.49.106/32 0 194.180.49.245/32 0 --- table(dovecot-pop3imap), set(0) --- 150.230.63.186/32 0
tail -80 /var/log/fail2ban.log
tail -80 /var/log/auth.log
ログを見ると、多数の SASL LOGIN authentication failed が記録されていて、何かと無駄だし鬱陶しい。
Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unknown[194.33.191.13]: SASL LOGIN authentication failed: authentication failure, sasl_username=ishoika@mail.kuji-clinic.info
で、これを抑止する設定をしてみることに。
【設定ファイル】
/usr/local/etc/fail2ban/filter.d/postfix-auth.conf
# Fail2Ban filter for postfix SMTP-AUTH failures
[Definition]
failregex = warning: unknown\[<HOST>\]: SASL LOGIN authentication failed
datepattern = {^LN-BEG}
#Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unknown[94.156.102.204]: SASL LOGIN authentication failed: authentication failure
#warning: unknown[<HOST>]: SASL LOGIN authentication failed: authentication failure
#fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched ←動作テスト
Total access 398:本日 1:昨日 4
