CONTENTS

Lastmodified 2024-02-17 (土) 09:25:52

blacklistd(8)では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban を試してみることにした。

py-fail2ban をインストール

portinstall security/py-fail2ban

/usr/local/etc/rc.d/fail2ban start

2023-09-30 17:00:26,803 fail2ban.configreader   [48582]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Server ready

fail2ban.conf

#allowipv6 = auto

allowipv6 = auto

FreeBSD+fail2ban(4)

/etc/rc.conf

fail2ban_enable="YES"

ログを読むフィルター

を作っておく。ファイル名は「dovecot-pop3imap.conf」とした。
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = refused connection from <HOST>, service qpopper \(tcp\)
datepattern = {^LN-BEG}

もう一つは、/ver/log/all.log を読み込むフィルター

/usr/local/etc/fail2ban/filter.d/qpopperauth.conf

対象となるログの行は、こんな

Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com at xxx.yyy.zzz.*** (xx.yyy.zzz.***): -ERR [AUTH] Password supplied for "foo@example.com" is incorrect.
[Definition]
failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password supplied .*
datepattern = {^LN-BEG}

動作確認するには、

 # fail2ban-regex /var/log/all.log /usr/local/etc/fail2ban/filter.d/qpopperauth.conf --print-all-matched

とする。

fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく

フィルターの動作確認を

# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched

Running tests
============= 

Use   failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
[processed in 0.53 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 6618 lines

ブロック設定ファイル jail.local の設定

/usr/local/etc/fail2ban/jail.local

[INCLUDES]
before = paths-freebsd.conf

[dovecot-pop3imap]
enabled = true
mode    = more
filter = dovecot-pop3imap
logpath = /var/log/auth.log
maxretry = 2
findtime = 1200
bantime = 1200
backend = polling
banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp]

[qpopperauth]
enabled = true
mode    = more
filter = qpopperauth
logpath = /var/log/all.log
maxretry = 2
findtime = 1200
bantime = 86400
backend = polling
banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp]

fail2ban 再起動

# /usr/local/etc/rc.d/fail2ban restart

確認

ブロックリスト確認

ipfw table all list
# ipfw table all list
--- table(port25), set(0) ---
37.139.129.4/32 0
45.66.230.99/32 0
79.110.62.188/32 0
80.76.51.40/32 0
85.31.45.34/32 0
95.214.27.23/32 0
147.78.103.88/32 0
147.78.103.182/32 0
185.216.71.126/32 0
193.42.33.87/32 0
--- table(port587), set(0) ---
94.156.102.204/32 0
150.230.59.115/32 0
150.230.63.186/32 0
163.172.88.229/32 0
194.180.49.106/32 0
194.180.49.245/32 0
--- table(dovecot-pop3imap), set(0) ---
150.230.63.186/32 0

Fail2ban のログ

tail -80 /var/log/fail2ban.log

ブロックファイル作成のためのログ

tail -80 /var/log/auth.log

SASL LOGIN authentication failed

ログを見ると、多数の SASL LOGIN authentication failed が記録されていて、何かと無駄だし鬱陶しい。

Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unknown[194.33.191.13]: SASL LOGIN authentication failed: authentication failure, sasl_username=ishoika@mail.kuji-clinic.info

で、これを抑止する設定をしてみることに。

【設定ファイル】
/usr/local/etc/fail2ban/filter.d/postfix-auth.conf

# Fail2Ban filter for postfix SMTP-AUTH failures
[Definition]
failregex = warning: unknown\[<HOST>\]: SASL LOGIN authentication failed
datepattern = {^LN-BEG}

#Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unknown[94.156.102.204]: SASL LOGIN authentication failed: authentication failure
#warning: unknown[<HOST>]: SASL LOGIN authentication failed: authentication failure
#fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched  ←動作テスト

Total access 599:本日 1:昨日 0

Counter: 599, today: 1, yesterday: 0
トップ   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS