py-fail2ban の履歴ソース(No.6)

• 履歴一覧
• 差分 を表示
• 現在との差分 を表示
• 履歴 を表示
• py-fail2ban へ行く。
  • 1 (2023-09-29 (金) 11:27:31)
  • 2 (2023-09-29 (金) 11:31:10)
  • 3 (2023-09-29 (金) 17:36:15)
  • 4 (2023-09-30 (土) 11:12:41)
  • 5 (2023-09-30 (土) 17:04:49)
  • 6 (2023-10-22 (日) 09:11:45)
  • 7 (2024-01-20 (土) 09:36:19)
  • 8 (2024-02-16 (金) 10:28:39)

#author("2023-10-22T09:11:45+09:00","default:kuji","kuji")
CONTENTS
#contents
----
Lastmodified　&lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban　を試してみることにした。

*py-fail2ban をインストール [#af7a7a86]
 portinstall security/py-fail2ban

/usr/local/etc/rc.d/fail2ban start

 2023-09-30 17:00:26,803 fail2ban.configreader   [48582]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
 Server ready
fail2ban.conf
 #allowipv6 = auto
 
 allowipv6 = auto
 

[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]]

/etc/rc.conf
 fail2ban_enable="YES"

** ログを読むフィルター [#wbe3c828]
を作っておく。ファイル名は「dovecot-pop3imap.conf」とした。~
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
 [Definition]
 failregex = refused connection from <HOST>, service qpopper \(tcp\)
 datepattern = {^LN-BEG}

[[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]]

**フィルターの動作確認を [#ib35d2cb]
 # fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched
 
 Running tests
 ============= 
 
 Use   failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban
 Use         log file : /var/log/auth.log
 Use         encoding : UTF-8
 
 
 Results
 =======
 
 Failregex: 0 total
 
 Ignoreregex: 0 total
 
 Date template hits:
 |- [# of hits] date format
 |  [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
 `-
 
 Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
 [processed in 0.53 sec]
 
 Missed line(s): too many to print.  Use --print-all-missed to print all 6618 lines

**ブロック設定ファイル　jail.local の設定 [#meee1c9b]
/usr/local/etc/fail2ban/jail.local
 [INCLUDES]
 before = paths-freebsd.conf
 
 [dovecot-pop3imap]
 enabled = true
 mode    = more
 filter = dovecot-pop3imap
 logpath = /var/log/auth.log
 maxretry = 2
 findtime = 1200
 bantime = 1200
 backend = polling
 banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp]

**確認 [#aa177daa]
***ブロックリスト確認 [#t54237cd]
 ipfw table all list

 # ipfw table all list
 --- table(port25), set(0) ---
 37.139.129.4/32 0
 45.66.230.99/32 0
 79.110.62.188/32 0
 80.76.51.40/32 0
 85.31.45.34/32 0
 95.214.27.23/32 0
 147.78.103.88/32 0
 147.78.103.182/32 0
 185.216.71.126/32 0
 193.42.33.87/32 0
 --- table(port587), set(0) ---
 94.156.102.204/32 0
 150.230.59.115/32 0
 150.230.63.186/32 0
 163.172.88.229/32 0
 194.180.49.106/32 0
 194.180.49.245/32 0
 --- table(dovecot-pop3imap), set(0) ---
 150.230.63.186/32 0


***Fail2ban のログ [#bafa1eda]
 tail -80 /var/log/fail2ban.log

***ブロックファイル作成のためのログ [#b98fcad8]
 tail -80 /var/log/auth.log



----
Total access &counter(total);：本日 &counter(today);：昨日 &counter(yesterday);
#counter([total|today|yesterday]);