py-fail2ban の履歴差分(No.4)

• 履歴一覧
• 現在との差分 を表示
• ソース を表示
• 履歴 を表示
• py-fail2ban へ行く。
  • 1 (2023-09-29 (金) 11:27:31)
  • 2 (2023-09-29 (金) 11:31:10)
  • 3 (2023-09-29 (金) 17:36:15)
  • 4 (2023-09-30 (土) 11:12:41)
  • 5 (2023-09-30 (土) 17:04:49)
  • 6 (2023-10-22 (日) 09:11:45)
  • 7 (2024-01-20 (土) 09:36:19)
  • 8 (2024-02-16 (金) 10:28:39)

• 追加された行はこの色です。
• 削除された行はこの色です。

#author("2023-09-29T17:36:15+09:00","default:kuji","kuji")
#author("2023-09-30T11:12:41+09:00","default:kuji","kuji")
CONTENTS
#contents
----
Lastmodified　&lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban　を試してみることにした。

*/security/py-fail2ban [#x04d8d24]
[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]]

/etc/rc.conf
 fail2ban_enable="YES"

[[Using Fail2ban with Dovecot:https://doc.dovecot.org/configuration_manual/howto/fail2ban/]]

**Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf: [#x4ff1a08]

 [Definition]
 failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=`<HOST>`

**Add the following to /etc/fail2ban/jail.conf: [#b2d423e0]
 [dovecot-pop3imap]
 enabled = true
 filter = dovecot-pop3imap
 action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
 logpath = /var/log/maillog
 maxretry = 20
 findtime = 1200
 bantime = 1200

** dovecot-pop3imap.conf [#v9ce87ba]
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
 [Definition]
 failregex = refused connection from <HOST>, service qpopper \(tcp\)
 datepattern = {^LN-BEG}



[[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]]


/usr/local/etc/fail2banjail.local
 [dovecot-pop3imap]
 enabled = true
 filter = dovecot-pop3imap
 action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
 #logpath = /var/log/maillog
 logpath = /var/log/auth.log
 maxretry = 2
 findtime = 1200
 bantime = 1200
 backend = polling
 banaction = bsd-ipfw[table=pop3]

 # fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched
 
 Running tests
 ============= 
 
 Use   failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
 Use         log file : /var/log/auth.log
 Use         encoding : UTF-8
 
 
 Results
 =======
 
 Failregex: 0 total
 
 Ignoreregex: 0 total
 
 Date template hits:
 |- [# of hits] date format
 |  [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
 `-
 
 Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
 [processed in 0.53 sec]
 
 Missed line(s): too many to print.  Use --print-all-missed to print all 6618 lines


----
Total access &counter(total);：本日 &counter(today);：昨日 &counter(yesterday);
#counter([total|today|yesterday]);