py-fail2ban の履歴の現在との差分(No.8)

• 履歴一覧
• 差分 を表示
• ソース を表示
• 履歴 を表示
• py-fail2ban へ行く。
  • 1 (2023-09-29 (金) 11:27:31)
  • 2 (2023-09-29 (金) 11:31:10)
  • 3 (2023-09-29 (金) 17:36:15)
  • 4 (2023-09-30 (土) 11:12:41)
  • 5 (2023-09-30 (土) 17:04:49)
  • 6 (2023-10-22 (日) 09:11:45)
  • 7 (2024-01-20 (土) 09:36:19)
  • 8 (2024-02-16 (金) 10:28:39)

• 追加された行はこの色です。
• 削除された行はこの色です。

#author("2024-02-16T10:28:39+09:00","default:kuji","kuji")
#author("2024-02-17T09:25:52+09:00","default:kuji","kuji")
CONTENTS
#contents
----
Lastmodified　&lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban　を試してみることにした。

https://fnf.seesaa.net/article/476415931.html

https://fnf.seesaa.net/article/476435243.html

https://intaa.net/archives/37086

*py-fail2ban をインストール [#af7a7a86]
 portinstall security/py-fail2ban

/usr/local/etc/rc.d/fail2ban start

 2023-09-30 17:00:26,803 fail2ban.configreader   [48582]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
 Server ready
fail2ban.conf
 #allowipv6 = auto
 
 allowipv6 = auto
 

[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]]

/etc/rc.conf
 fail2ban_enable="YES"

** ログを読むフィルター [#wbe3c828]
を作っておく。ファイル名は「dovecot-pop3imap.conf」とした。~
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
 [Definition]
 failregex = refused connection from <HOST>, service qpopper \(tcp\)
 datepattern = {^LN-BEG}


もう一つは、/ver/log/all.log を読み込むフィルター

/usr/local/etc/fail2ban/filter.d/qpopperauth.conf

対象となるログの行は、こんな
 Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com at xxx.yyy.zzz.*** (xx.yyy.zzz.***): -ERR [AUTH] Password supplied for "foo@example.com" is incorrect.


 [Definition]
 failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password supplied .*
 datepattern = {^LN-BEG}

動作確認するには、

  # fail2ban-regex /var/log/all.log /usr/local/etc/fail2ban/filter.d/qpopperauth.conf --print-all-matched

とする。

[[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]]

**フィルターの動作確認を [#ib35d2cb]
 # fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched
 
 Running tests
 ============= 
 
 Use   failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
 Use         log file : /var/log/auth.log
 Use         encoding : UTF-8
 
 
 Results
 =======
 
 Failregex: 0 total
 
 Ignoreregex: 0 total
 
 Date template hits:
 |- [# of hits] date format
 |  [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
 `-
 
 Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
 [processed in 0.53 sec]
 
 Missed line(s): too many to print.  Use --print-all-missed to print all 6618 lines

**ブロック設定ファイル　jail.local の設定 [#meee1c9b]
/usr/local/etc/fail2ban/jail.local
 [INCLUDES]
 before = paths-freebsd.conf
 
 [dovecot-pop3imap]
 enabled = true
 mode    = more
 filter = dovecot-pop3imap
 logpath = /var/log/auth.log
 maxretry = 2
 findtime = 1200
 bantime = 1200
 backend = polling
 banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp]
 
 [qpopperauth]
 enabled = true
 mode    = more
 filter = qpopperauth
 logpath = /var/log/all.log
 maxretry = 2
 findtime = 1200
 bantime = 86400
 backend = polling
 banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp]

fail2ban 再起動
 # /usr/local/etc/rc.d/fail2ban restart

**確認 [#aa177daa]
***ブロックリスト確認 [#t54237cd]
 ipfw table all list

 # ipfw table all list
 --- table(port25), set(0) ---
 37.139.129.4/32 0
 45.66.230.99/32 0
 79.110.62.188/32 0
 80.76.51.40/32 0
 85.31.45.34/32 0
 95.214.27.23/32 0
 147.78.103.88/32 0
 147.78.103.182/32 0
 185.216.71.126/32 0
 193.42.33.87/32 0
 --- table(port587), set(0) ---
 94.156.102.204/32 0
 150.230.59.115/32 0
 150.230.63.186/32 0
 163.172.88.229/32 0
 194.180.49.106/32 0
 194.180.49.245/32 0
 --- table(dovecot-pop3imap), set(0) ---
 150.230.63.186/32 0


***Fail2ban のログ [#bafa1eda]
 tail -80 /var/log/fail2ban.log

***ブロックファイル作成のためのログ [#b98fcad8]
 tail -80 /var/log/auth.log

* SASL LOGIN authentication failed [#bcdd7a74]
ログを見ると、多数の SASL LOGIN authentication failed　が記録されていて、何かと無駄だし鬱陶しい。
 Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unknown[194.33.191.13]: SASL LOGIN authentication failed: authentication failure, sasl_username=ishoika@mail.kuji-clinic.info
で、これを抑止する設定をしてみることに。

【設定ファイル】~
/usr/local/etc/fail2ban/filter.d/postfix-auth.conf

 # Fail2Ban filter for postfix SMTP-AUTH failures
 [Definition]
 failregex = warning: unknown\[<HOST>\]: SASL LOGIN authentication failed
 datepattern = {^LN-BEG}
 
 #Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unknown[94.156.102.204]: SASL LOGIN authentication failed: authentication failure
 #warning: unknown[<HOST>]: SASL LOGIN authentication failed: authentication failure
 #fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched  ←動作テスト




----
Total access &counter(total);：本日 &counter(today);：昨日 &counter(yesterday);
#counter([total|today|yesterday]);