![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2024-02-16T10:28:39+09:00","default:kuji","kuji") #author("2024-02-17T09:25:52+09:00","default:kuji","kuji") CONTENTS #contents ---- Lastmodified &lastmod; ---- [[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮断は用意されていないようなので、fail2ban を試してみることにした。 https://fnf.seesaa.net/article/476415931.html https://fnf.seesaa.net/article/476435243.html https://intaa.net/archives/37086 *py-fail2ban をインストール [#af7a7a86] portinstall security/py-fail2ban /usr/local/etc/rc.d/fail2ban start 2023-09-30 17:00:26,803 fail2ban.configreader [48582]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' Server ready fail2ban.conf #allowipv6 = auto allowipv6 = auto [[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/476435243.html]] /etc/rc.conf fail2ban_enable="YES" ** ログを読むフィルター [#wbe3c828] を作っておく。ファイル名は「dovecot-pop3imap.conf」とした。~ /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf [Definition] failregex = refused connection from <HOST>, service qpopper \(tcp\) datepattern = {^LN-BEG} もう一つは、/ver/log/all.log を読み込むフィルター /usr/local/etc/fail2ban/filter.d/qpopperauth.conf 対象となるログの行は、こんな Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com at xxx.yyy.zzz.*** (xx.yyy.zzz.***): -ERR [AUTH] Password supplied for "foo@example.com" is incorrect. [Definition] failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password supplied .* datepattern = {^LN-BEG} 動作確認するには、 # fail2ban-regex /var/log/all.log /usr/local/etc/fail2ban/filter.d/qpopperauth.conf --print-all-matched とする。 [[fail2banをうまく動かすためのTips。正規表現はシンプルに見やすく:https://nomeu.net/8375/]] **フィルターの動作確認を [#ib35d2cb] # fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-matched Running tests ============= Use failregex filter file : dovecot-pop3imap, basedir: /usr/local/etc/fail2ban Use log file : /var/log/auth.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed [processed in 0.53 sec] Missed line(s): too many to print. Use --print-all-missed to print all 6618 lines **ブロック設定ファイル jail.local の設定 [#meee1c9b] /usr/local/etc/fail2ban/jail.local [INCLUDES] before = paths-freebsd.conf [dovecot-pop3imap] enabled = true mode = more filter = dovecot-pop3imap logpath = /var/log/auth.log maxretry = 2 findtime = 1200 bantime = 1200 backend = polling banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp] [qpopperauth] enabled = true mode = more filter = qpopperauth logpath = /var/log/all.log maxretry = 2 findtime = 1200 bantime = 86400 backend = polling banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp] fail2ban 再起動 # /usr/local/etc/rc.d/fail2ban restart **確認 [#aa177daa] ***ブロックリスト確認 [#t54237cd] ipfw table all list # ipfw table all list --- table(port25), set(0) --- 37.139.129.4/32 0 45.66.230.99/32 0 79.110.62.188/32 0 80.76.51.40/32 0 85.31.45.34/32 0 95.214.27.23/32 0 147.78.103.88/32 0 147.78.103.182/32 0 185.216.71.126/32 0 193.42.33.87/32 0 --- table(port587), set(0) --- 94.156.102.204/32 0 150.230.59.115/32 0 150.230.63.186/32 0 163.172.88.229/32 0 194.180.49.106/32 0 194.180.49.245/32 0 --- table(dovecot-pop3imap), set(0) --- 150.230.63.186/32 0 ***Fail2ban のログ [#bafa1eda] tail -80 /var/log/fail2ban.log ***ブロックファイル作成のためのログ [#b98fcad8] tail -80 /var/log/auth.log * SASL LOGIN authentication failed [#bcdd7a74] ログを見ると、多数の SASL LOGIN authentication failed が記録されていて、何かと無駄だし鬱陶しい。 Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unknown[194.33.191.13]: SASL LOGIN authentication failed: authentication failure, sasl_username=ishoika@mail.kuji-clinic.info で、これを抑止する設定をしてみることに。 【設定ファイル】~ /usr/local/etc/fail2ban/filter.d/postfix-auth.conf # Fail2Ban filter for postfix SMTP-AUTH failures [Definition] failregex = warning: unknown\[<HOST>\]: SASL LOGIN authentication failed datepattern = {^LN-BEG} #Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unknown[94.156.102.204]: SASL LOGIN authentication failed: authentication failure #warning: unknown[<HOST>]: SASL LOGIN authentication failed: authentication failure #fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched ←動作テスト ---- Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday); #counter([total|today|yesterday]);
