- 追加された行はこの色です。
- 削除された行はこの色です。
#author("2023-09-29T17:36:15+09:00","default:kuji","kuji")
#author("2023-09-30T11:12:41+09:00","default:kuji","kuji")
CONTENTS
#contents
----
Lastmodified &lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban を試してみることにした。
*/security/py-fail2ban [#x04d8d24]
[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]]
/etc/rc.conf
fail2ban_enable="YES"
[[Using Fail2ban with Dovecot:https://doc.dovecot.org/configuration_manual/howto/fail2ban/]]
**Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf: [#x4ff1a08]
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=`<HOST>`
**Add the following to /etc/fail2ban/jail.conf: [#b2d423e0]
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
** dovecot-pop3imap.conf [#v9ce87ba]
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = refused connection from <HOST>, service qpopper \(tcp\)
datepattern = {^LN-BEG}
[[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]]
/usr/local/etc/fail2banjail.local
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
#logpath = /var/log/maillog
logpath = /var/log/auth.log
maxretry = 2
findtime = 1200
bantime = 1200
backend = polling
banaction = bsd-ipfw[table=pop3]
# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
[processed in 0.53 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 6618 lines
----
Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday);
#counter([total|today|yesterday]);